diff --git a/.jules/sentinel.md b/.jules/sentinel.md
index 9bd1f25..6b155da 100644
--- a/.jules/sentinel.md
+++ b/.jules/sentinel.md
@@ -47,6 +47,14 @@
 **Vulnerability:** Path/URL manipulation and injection caused by unvalidated dynamic variables (e.g., dynamically fetching latest version strings via API calls).
 **Learning:** Variables that determine file paths or download URLs, even when fetched from typically trusted external sources (like a GitHub API), must be treated as untrusted input. If an API response is manipulated or unexpected (e.g., changing a version string to `../../../etc/passwd` or embedding shell commands), it can lead to path traversal, arbitrary file writes, or URL redirection vulnerabilities.
 **Prevention:** Always validate dynamically fetched data (like tags or version strings) against strict allow-lists (using POSIX-compliant regex like `^[0-9]+\.[0-9]+\.[0-9]+$`) before interpolating them into paths, URLs, or executing them.
+## 2026-05-15 - Prevent Remote Script Execution in Node.js Installation
+**Vulnerability:** Directly piping downloaded remote scripts into bash (`curl -fsSL <url> | bash -`) allows arbitrary code execution.
+**Learning:** NodeSource provides native manual package manager configuration methods which avoid executing mutable remote setup scripts entirely. For dynamic aliases like `lts`, the numeric version can be safely parsed from the remote script using `grep` instead of executing it. Furthermore, downloading APT repository keys as ASCII-armored (`.asc`) files natively supported by `apt` is preferable to piping them through `gpg --dearmor` to avoid dependencies on `gnupg`.
+**Prevention:** Avoid `curl | bash` in DevContainer setup scripts; configure package manager repositories directly via standard configuration files (`/etc/apt/sources.list.d/`, `/etc/yum.repos.d/`) and import GPG keys securely.
+## 2026-05-15 - Clean up development scratch files
+**Vulnerability:** Accidental commit of development scripts and scratch files (e.g. `resolver.py`, `test_script.sh`, `benchmark.sh`) into the repository.
+**Learning:** Temporary tools and scripts created to assist in conflict resolution, debugging, or execution during development are not part of the final codebase. Committing them creates repository bloat and potential security/maintenance overhead.
+**Prevention:** Before committing changes or requesting a code review, always verify the status with `git status` and delete any temporary files, mock scripts, or scratchpads. Ensure that only intentionally modified, project-relevant source files are staged and committed.
 
 ## 2024-05-15 - Sudo Option Injection Prevention
 **Vulnerability:** Option injection during privilege escalation.
diff --git a/src/mermaid/install.sh b/src/mermaid/install.sh
index 355ba8c..cd0471a 100644
--- a/src/mermaid/install.sh
+++ b/src/mermaid/install.sh
@@ -152,32 +152,43 @@ install_nodejs() {
     fi
 
     echo "[INFO] Installing Node.js ${NODE_VERSION}..."
-    local node_major="${NODE_VERSION}"
-    if [ "$node_major" = "lts" ]; then node_major="20"; fi
+
+    local RESOLVED_NODE_VERSION="${NODE_VERSION}"
+    if [ "${NODE_VERSION}" = "lts" ]; then
+        echo "[INFO] Resolving Node.js LTS version from NodeSource..."
+        RESOLVED_NODE_VERSION=$(curl -fsSL https://deb.nodesource.com/setup_lts.x | grep '^NODE_VERSION=' | cut -d'"' -f2 | cut -d'.' -f1)
+        if [ -z "$RESOLVED_NODE_VERSION" ]; then
+            echo "[ERROR] Failed to resolve Node.js LTS version. Falling back to 22."
+            RESOLVED_NODE_VERSION="22"
+        fi
+        echo "[INFO] Resolved LTS version to ${RESOLVED_NODE_VERSION}.x"
+    fi
 
     case "$OS_ID" in
         ubuntu|debian)
+            mkdir -p /usr/share/keyrings
             curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /usr/share/keyrings/nodesource.gpg
             cat <<EOF > /etc/apt/sources.list.d/nodesource.sources
 Types: deb
-URIs: https://deb.nodesource.com/node_${node_major}.x
+URIs: https://deb.nodesource.com/node_${RESOLVED_NODE_VERSION}.x
 Suites: nodistro
 Components: main
 Signed-By: /usr/share/keyrings/nodesource.gpg
 EOF
             apt-get update -y
+            # NodeSource nodejs bundles npm; installing Ubuntu's npm package conflicts
             apt-get install -y nodejs
             ;;
         fedora)
             dnf module reset -y nodejs || true
-            dnf module enable -y "nodejs:${node_major}" || dnf install -y nodejs
+            dnf module enable -y "nodejs:${RESOLVED_NODE_VERSION}" || dnf install -y nodejs
             dnf install -y nodejs npm
             ;;
         centos|rhel|rocky|almalinux)
             cat <<EOF > /etc/yum.repos.d/nodesource.repo
 [nodesource-nodejs]
 name=Node.js Packages for Linux RPM based distros - \$basearch
-baseurl=https://rpm.nodesource.com/pub_${node_major}.x/nodistro/nodejs/\$basearch
+baseurl=https://rpm.nodesource.com/pub_${RESOLVED_NODE_VERSION}.x/nodistro/nodejs/\$basearch
 priority=9
 enabled=1
 gpgcheck=1
@@ -289,4 +300,4 @@ main() {
     echo "[INFO] Mermaid setup complete."
 }
 
-main
+main
\ No newline at end of file