diff --git a/.gitignore b/.gitignore
index 87242efc..678dbe0a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,3 +3,15 @@ node_modules/
 __pycache__/
 .claude/skills/*/start-*.sh
 cli/cli.js
+
+# Sensitive files — never commit secrets or private keys
+.env
+.env.*
+*.pem
+*.key
+*.p12
+*.pfx
+id_rsa
+id_ed25519
+credentials.json
+service-account.json
diff --git a/cli/install.sh b/cli/install.sh
index 4463d25f..914ea00d 100755
--- a/cli/install.sh
+++ b/cli/install.sh
@@ -21,9 +21,9 @@ YELLOW='\033[1;33m'
 BOLD='\033[1m'
 NC='\033[0m'
 
-log_info()  { echo -e "${GREEN}[spawn]${NC} $1"; }
-log_warn()  { echo -e "${YELLOW}[spawn]${NC} $1"; }
-log_error() { echo -e "${RED}[spawn]${NC} $1"; }
+log_info()  { printf "${GREEN}[spawn]${NC} %s\n" "$1"; }
+log_warn()  { printf "${YELLOW}[spawn]${NC} %s\n" "$1"; }
+log_error() { printf "${RED}[spawn]${NC} %s\n" "$1"; }
 
 # --- Helper: compare semver strings ---
 # Returns 0 (true) if $1 >= $2
diff --git a/test/run.sh b/test/run.sh
index 683fbb0e..ac20b551 100644
--- a/test/run.sh
+++ b/test/run.sh
@@ -15,7 +15,7 @@
 #   bash test/run.sh claude       # test one script
 #   bash test/run.sh --remote     # test remote source (from GitHub)
 
-set -uo pipefail
+set -eo pipefail
 
 REPO_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
 TEST_DIR=$(mktemp -d)
@@ -310,7 +310,7 @@ _test_sprite_remote_source() {
     fi
     local remote_fns
     remote_fns=$(bash -c '
-        source <(curl -fsSL https://raw.githubusercontent.com/OpenRouterTeam/spawn/main/sprite/lib/common.sh)
+        eval "$(curl -fsSL https://raw.githubusercontent.com/OpenRouterTeam/spawn/main/sprite/lib/common.sh)"
         type log_info &>/dev/null && echo "OK" || echo "FAIL"
     ' 2>/dev/null)
     assert_equals "${remote_fns}" "OK" "Remote source from GitHub works"