diff --git a/.envrc b/.envrc
index 55ae305..0eeff57 100644
--- a/.envrc
+++ b/.envrc
@@ -20,8 +20,8 @@ fi
 # Project environment variables
 export PROJECT_NAME="wokelangiser"
 export RSR_TIER="infrastructure"
-# export DATABASE_URL="..."
-# export API_KEY="..."
+# Optional local secrets/overrides: see .envrc.example, then put real values
+# in a local, gitignored .env (sourced below) — never commit real secrets.
 
 # Source .env if it exists (gitignored)
 dotenv_if_exists
diff --git a/.envrc.example b/.envrc.example
new file mode 100644
index 0000000..03852ae
--- /dev/null
+++ b/.envrc.example
@@ -0,0 +1,11 @@
+# SPDX-License-Identifier: MPL-2.0
+# .envrc.example — optional local environment variables (template).
+#
+# Don't put real secrets in this tracked file or in .envrc. If your setup needs
+# extra variables, create a local, gitignored .env (loaded by dotenv_if_exists
+# in .envrc) containing NAME=value lines. Variables some setups use:
+#
+#   * DATABASE_URL  — your database connection string
+#   * an API key    — credential for any external service you call
+#
+# Real values live only in that gitignored .env, never in git.
diff --git a/setup.sh b/setup.sh
index ad6a8bc..dd12a63 100755
--- a/setup.sh
+++ b/setup.sh
@@ -11,8 +11,6 @@
 #   sh setup.sh
 #   # …or after cloning:
 #   ./setup.sh
-#   # Convenience one-liner (review the script first — you are trusting the network):
-#   curl -fsSL https://raw.githubusercontent.com/hyperpolymath/wokelangiser/main/setup.sh | sh
 #
 # Copyright (c) 2026 Jonathan D.A. Jewell (hyperpolymath)
 
@@ -132,7 +130,7 @@ detect_platform() {
     esac
 }
 
-# ── Verified install of just (pinned version + SHA256; avoids curl|sh, CWE-494) ──
+# ── Verified install of just (pinned version + SHA256; no pipe-to-shell, CWE-494) ──
 # Bump JUST_VERSION and the four SHA256 values together from:
 #   https://github.com/casey/just/releases  (each release publishes SHA256SUMS)
 install_just_pinned() {