diff --git a/pkg/build/builders/docker.go b/pkg/build/builders/docker.go
index ba6b35a..beb7cfd 100644
--- a/pkg/build/builders/docker.go
+++ b/pkg/build/builders/docker.go
@@ -187,7 +187,7 @@ func (b *DockerBuilder) Build(ctx context.Context, cfg *build.Config, targets []
 func (b *DockerBuilder) validateDockerCli() error {
 	cmd := exec.Command("docker", "--version")
 	if err := cmd.Run(); err != nil {
-		return coreerr.E("DockerBuilder.validateDockerCli", "docker CLI not found. Install it from https://docs.docker.com/get-docker/", nil)
+		return coreerr.E("DockerBuilder.validateDockerCli", "docker CLI not found. Install it from https://docs.docker.com/get-docker/", err)
 	}
 	return nil
 }
@@ -197,7 +197,7 @@ func (b *DockerBuilder) ensureBuildx(ctx context.Context) error {
 	// Check if buildx is available
 	cmd := exec.CommandContext(ctx, "docker", "buildx", "version")
 	if err := cmd.Run(); err != nil {
-		return coreerr.E("DockerBuilder.ensureBuildx", "buildx is not available. Install it from https://docs.docker.com/buildx/working-with-buildx/", nil)
+		return coreerr.E("DockerBuilder.ensureBuildx", "buildx is not available. Install it from https://docs.docker.com/buildx/working-with-buildx/", err)
 	}
 
 	// Check if we have a builder, create one if not
diff --git a/pkg/build/builders/wails.go b/pkg/build/builders/wails.go
index e58bfa2..4e40e16 100644
--- a/pkg/build/builders/wails.go
+++ b/pkg/build/builders/wails.go
@@ -144,10 +144,10 @@ func (b *WailsBuilder) buildV2Target(ctx context.Context, cfg *build.Config, tar
 	// Simple copy using the medium
 	content, err := cfg.FS.Read(sourcePath)
 	if err != nil {
-		return build.Artifact{}, err
+		return build.Artifact{}, coreerr.E("WailsBuilder.buildV2Target", "failed to read artifact "+sourcePath, err)
 	}
 	if err := cfg.FS.Write(destPath, content); err != nil {
-		return build.Artifact{}, err
+		return build.Artifact{}, coreerr.E("WailsBuilder.buildV2Target", "failed to write artifact "+destPath, err)
 	}
 
 	return build.Artifact{
diff --git a/pkg/build/signing/codesign.go b/pkg/build/signing/codesign.go
index c8aeaf1..5357759 100644
--- a/pkg/build/signing/codesign.go
+++ b/pkg/build/signing/codesign.go
@@ -42,7 +42,13 @@ func (s *MacOSSigner) Available() bool {
 // Sign codesigns a binary with hardened runtime.
 func (s *MacOSSigner) Sign(ctx context.Context, fs io.Medium, binary string) error {
 	if !s.Available() {
-		return coreerr.E("codesign.Sign", "codesign not available", nil)
+		if runtime.GOOS != "darwin" {
+			return coreerr.E("codesign.Sign", "codesign is only available on macOS", nil)
+		}
+		if s.config.Identity == "" {
+			return coreerr.E("codesign.Sign", "codesign identity not configured", nil)
+		}
+		return coreerr.E("codesign.Sign", "codesign tool not found in PATH", nil)
 	}
 
 	cmd := exec.CommandContext(ctx, "codesign",
diff --git a/pkg/build/signing/sign.go b/pkg/build/signing/sign.go
index 3e17a29..0539999 100644
--- a/pkg/build/signing/sign.go
+++ b/pkg/build/signing/sign.go
@@ -90,7 +90,7 @@ func SignChecksums(ctx context.Context, fs io.Medium, cfg SignConfig, checksumFi
 
 	fmt.Printf("  Signing %s with GPG...\n", checksumFile)
 	if err := signer.Sign(ctx, fs, checksumFile); err != nil {
-		return coreerr.E("signing.SignChecksums", "failed to sign checksums", err)
+		return coreerr.E("signing.SignChecksums", "failed to sign checksums file "+checksumFile, err)
 	}
 
 	return nil
diff --git a/pkg/release/publishers/chocolatey.go b/pkg/release/publishers/chocolatey.go
index 04f1a25..7df2b0e 100644
--- a/pkg/release/publishers/chocolatey.go
+++ b/pkg/release/publishers/chocolatey.go
@@ -245,8 +245,9 @@ func (p *ChocolateyPublisher) pushToChocolatey(ctx context.Context, packageDir s
 		return coreerr.E("chocolatey.Publish", "choco pack failed", err)
 	}
 
-	// Push the package
-	cmd = exec.CommandContext(ctx, "choco", "push", nupkgPath, "--source", "https://push.chocolatey.org/", "--api-key", apiKey)
+	// Push the package — pass API key via environment variable to avoid exposing it in process listings
+	cmd = exec.CommandContext(ctx, "choco", "push", nupkgPath, "--source", "https://push.chocolatey.org/")
+	cmd.Env = append(os.Environ(), "chocolateyApiKey="+apiKey)
 	cmd.Stdout = os.Stdout
 	cmd.Stderr = os.Stderr
 	if err := cmd.Run(); err != nil {
diff --git a/pkg/release/publishers/github.go b/pkg/release/publishers/github.go
index 0c02fef..2efb1af 100644
--- a/pkg/release/publishers/github.go
+++ b/pkg/release/publishers/github.go
@@ -148,14 +148,14 @@ func validateGhCli() error {
 	// Check if gh is installed
 	cmd := exec.Command("gh", "--version")
 	if err := cmd.Run(); err != nil {
-		return coreerr.E("github.validateGhCli", "gh CLI not found. Install it from https://cli.github.com", nil)
+		return coreerr.E("github.validateGhCli", "gh CLI not found. Install it from https://cli.github.com", err)
 	}
 
 	// Check if authenticated
 	cmd = exec.Command("gh", "auth", "status")
 	output, err := cmd.CombinedOutput()
 	if err != nil {
-		return coreerr.E("github.validateGhCli", "not authenticated with gh CLI. Run 'gh auth login' first", nil)
+		return coreerr.E("github.validateGhCli", "not authenticated with gh CLI. Run 'gh auth login' first", err)
 	}
 
 	if !strings.Contains(string(output), "Logged in") {
diff --git a/pkg/release/publishers/npm.go b/pkg/release/publishers/npm.go
index 7ab9429..da246ef 100644
--- a/pkg/release/publishers/npm.go
+++ b/pkg/release/publishers/npm.go
@@ -91,7 +91,7 @@ func (p *NpmPublisher) Publish(ctx context.Context, release *Release, pubCfg Pub
 	}
 
 	if dryRun {
-		return p.dryRunPublish(release.FS, data, &npmCfg)
+		return p.dryRunPublish(release.FS, data)
 	}
 
 	return p.executePublish(ctx, release.FS, data, &npmCfg)
@@ -130,7 +130,7 @@ type npmTemplateData struct {
 }
 
 // dryRunPublish shows what would be done without actually publishing.
-func (p *NpmPublisher) dryRunPublish(m coreio.Medium, data npmTemplateData, cfg *NpmConfig) error {
+func (p *NpmPublisher) dryRunPublish(m coreio.Medium, data npmTemplateData) error {
 	fmt.Println()
 	fmt.Println("=== DRY RUN: npm Publish ===")
 	fmt.Println()
diff --git a/pkg/release/publishers/npm_test.go b/pkg/release/publishers/npm_test.go
index ff21819..aeeb24f 100644
--- a/pkg/release/publishers/npm_test.go
+++ b/pkg/release/publishers/npm_test.go
@@ -161,12 +161,7 @@ func TestNpmPublisher_DryRunPublish_Good(t *testing.T) {
 			BinaryName:  "mycli",
 			Description: "My CLI",
 		}
-		cfg := &NpmConfig{
-			Package: "@myorg/mycli",
-			Access:  "public",
-		}
-
-		err := p.dryRunPublish(io.Local, data, cfg)
+		err := p.dryRunPublish(io.Local, data)
 
 		_ = w.Close()
 		var buf bytes.Buffer
@@ -199,12 +194,8 @@ func TestNpmPublisher_DryRunPublish_Good(t *testing.T) {
 			Repository: "org/repo",
 			BinaryName: "cli",
 		}
-		cfg := &NpmConfig{
-			Package: "@private/cli",
-			Access:  "restricted",
-		}
 
-		err := p.dryRunPublish(io.Local, data, cfg)
+		err := p.dryRunPublish(io.Local, data)
 
 		_ = w.Close()
 		var buf bytes.Buffer
diff --git a/pkg/release/publishers/scoop.go b/pkg/release/publishers/scoop.go
index af54091..9a7132c 100644
--- a/pkg/release/publishers/scoop.go
+++ b/pkg/release/publishers/scoop.go
@@ -255,9 +255,10 @@ func (p *ScoopPublisher) renderTemplate(m coreio.Medium, name string, data scoop
 	customPath := filepath.Join(".core", name)
 	if m != nil && m.IsFile(customPath) {
 		customContent, err := m.Read(customPath)
-		if err == nil {
-			content = []byte(customContent)
+		if err != nil {
+			return "", coreerr.E("scoop.renderTemplate", "failed to read custom template "+customPath, err)
 		}
+		content = []byte(customContent)
 	}
 
 	// Fallback to embedded template