diff --git a/config/shell/bash_aliases b/config/shell/bash_aliases
index a0e082f..82934aa 100644
--- a/config/shell/bash_aliases
+++ b/config/shell/bash_aliases
@@ -1,18 +1,25 @@
+# bash-specific setup; portable aliases live in ~/.shell_aliases
 PS1='\[\033]0;\u - \w\007\]\[\033[44;37m\]'$(printf '_%.0s' $(seq 1 $(tput cols)))'\[\033[1;0m\]\r\n\t \w :\n\$ '
 [[ -f ~/.bash_prompt ]] && . ~/.bash_prompt
-alias mv="mv -vi"
-alias cp="cp -vi"
 alias '+'='pushd .'
 alias -- '-'='popd'
-alias alert='notify-send --urgency=low -i "$([ $? = 0 ] && echo terminal || echo error)" "$(history|tail -n1|sed -e '\''s/^\s*[0-9]\+\s*//;s/[;&|]\s*alert$//'\'')"'
-alias pushalert='pushover --title "$([ $? = 0 ] && echo terminal || echo error)" "$(history|tail -n1|sed -e '\''s/^\s*[0-9]\+\s*//;s/[;&|]\s*alert$//'\'')"'
+command -v notify-send >/dev/null 2>&1 && alias alert='notify-send --urgency=low -i "$([ $? = 0 ] && echo terminal || echo error)" "$(history|tail -n1|sed -e '\''s/^\s*[0-9]\+\s*//;s/[;&|]\s*alert$//'\'')"'
+command -v pushover >/dev/null 2>&1 && alias pushalert='pushover --title "$([ $? = 0 ] && echo terminal || echo error)" "$(history|tail -n1|sed -e '\''s/^\s*[0-9]\+\s*//;s/[;&|]\s*alert$//'\'')"'
 [[ -f ~/.shell_aliases ]] && . ~/.shell_aliases
-[[ -f ~/.config/z.sh ]] && . ~/.config/z.sh
-[[ -f ~/.oh-my-zsh/plugins/z/z.sh ]] && . ~/.oh-my-zsh/plugins/z/z.sh && set $_Z_OWNER=$(whoami)
-[[ -f ~/.cargo/bin/zoxide ]] && . <(~/.cargo/bin/zoxide init bash)
-[[ -f ~/.http_proxy ]] && . /home/tke/.http_proxy #PROXY_A93JK2
+
+# directory jumper: zoxide where installed, z.sh as fallback (proxy env is installer-managed, see scripts/proxy/)
+if command -v zoxide >/dev/null 2>&1; then
+  eval "$(zoxide init bash)"
+elif [[ -x ~/.cargo/bin/zoxide ]]; then
+  eval "$(~/.cargo/bin/zoxide init bash)"
+elif [[ -f ~/.config/z.sh ]]; then
+  . ~/.config/z.sh
+elif [[ -f ~/.oh-my-zsh/plugins/z/z.sh ]]; then
+  export _Z_OWNER=$(whoami)
+  . ~/.oh-my-zsh/plugins/z/z.sh
+fi
+
 [[ -f /usr/share/doc/fzf/examples/key-bindings.bash ]] && source /usr/share/doc/fzf/examples/key-bindings.bash
 [[ -f /usr/share/doc/fzf/examples/completion.bash ]] && source /usr/share/doc/fzf/examples/completion.bash
 HISTTIMEFORMAT="%F %T "
-shopt -s autocd
-alias ll='lsd -lAF'
+shopt -s autocd 2>/dev/null || true  # bash >= 4 only; macOS ships 3.2
diff --git a/config/shell/shell_aliases b/config/shell/shell_aliases
index f31cb53..73cf5ee 100644
--- a/config/shell/shell_aliases
+++ b/config/shell/shell_aliases
@@ -1,7 +1,13 @@
-#!/bin/bash
-alias cp="cp -vi"
+# shell_aliases — portable aliases for bash and zsh, Linux and macOS.
+# Sourced (not executed); everything optional is guarded so missing tools are skipped.
+
+alias cp='cp -vi'
+alias mv='mv -vi'
 alias sless='less -S -R'
-alias dockerstatus="docker run -it --rm -v /var/run/docker.sock:/var/run/docker.sock moncho/dry"
+
+# --- docker run wrappers ---
+# naming: trailing/extra "n" = network enabled, otherwise --network=none
+alias dockerstatus='docker run -it --rm -v /var/run/docker.sock:/var/run/docker.sock moncho/dry'
 alias dockerip="docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}'"
 alias dritn='docker run -i -t --rm '
 alias drit='docker run -i -t --rm --network=none'
@@ -9,52 +15,86 @@ alias dritpwn='docker run -i -t --rm -v "$(mktemp -d):/output" -v "$(pwd)":/data
 alias dritpwnrw='docker run -i -t --rm -v "$(mktemp -d):/output" -v "$(pwd)":/data:rw'
 alias dritpw='docker run -i -t --rm --network=none -v "$(mktemp -d):/output" -v "$(pwd)":/data:ro'
 alias dritpwrw='docker run -i -t --rm --network=none -v "$(mktemp -d):/output" -v "$(pwd)":/data:rw'
-alias kali='docker run --rm -it -v ${workdir-`pwd`}:/root/workdir kalilinux/kali-rolling'
-alias lazydocker="docker run --rm -it -v /var/run/docker.sock:/var/run/docker.sock -v /opt/lazydocker:/.config/jesseduffield/lazydocker lazyteam/lazydocker"
-alias mv="mv -vi"
-alias ntfsmount='sudo mount -o ro,show_sys_files,streams_interface=windows'
-alias powershell='docker run --rm -it -v ${workdir-`pwd`}:/data mcr.microsoft.com/powershell pwsh'
-alias ppxml="xmllin --format -"
-alias ppxml="xmlstarlet format --indent-tab"
+alias kali='docker run --rm -it -v "${workdir:-$(pwd)}":/root/workdir kalilinux/kali-rolling'
+alias lazydocker='docker run --rm -it -v /var/run/docker.sock:/var/run/docker.sock -v /opt/lazydocker:/.config/jesseduffield/lazydocker lazyteam/lazydocker'
+alias powershell='docker run --rm -it -v "${workdir:-$(pwd)}":/data mcr.microsoft.com/powershell pwsh'
 alias pwsh=powershell
-alias remnux_crits_start='sudo docker run --rm --name critsy -it -v ${workdir-`pwd`}:/home/nonroot/workdir -p 8443:8443 remnux/crits'
-alias remnux_crits_stop="sudo docker stop critsy"
-alias remnux_jsdetox_start="sudo docker run --rm --name jsdetoxy --rm -p 3000:3000 remnux/jsdetox"
-alias remnux_jsdetox_stop="sudo docker stop jsdetoxy"
-alias remnux_mastiff='sudo docker run --rm -it -v ${workdir-`pwd`}:/home/nonroot/workdir remnux/mastiff'
+alias dockerips="docker ps -q | xargs docker inspect --format '{{.Name}}{{range \$n, \$c := .NetworkSettings.Networks}}  {{\$n}}: {{\$c.IPAddress}}{{end}}'"
+alias dissect='dritpw tabledevil/dissect'
+
+# --- remnux containers ---
+alias remnux_crits_start='sudo docker run --rm --name critsy -it -v "${workdir:-$(pwd)}":/home/nonroot/workdir -p 8443:8443 remnux/crits'
+alias remnux_crits_stop='sudo docker stop critsy'
+alias remnux_jsdetox_start='sudo docker run --rm --name jsdetoxy -p 3000:3000 remnux/jsdetox'
+alias remnux_jsdetox_stop='sudo docker stop jsdetoxy'
+alias remnux_mastiff='sudo docker run --rm -it -v "${workdir:-$(pwd)}":/home/nonroot/workdir remnux/mastiff'
 alias remnux_msf='docker run --rm -it -p 443:443 -v ~/.msf4:/root/.msf4 -v /tmp/msf:/tmp/data remnux/metasploit'
-alias remnux_pescanner='docker run --rm -it --dns=192.168.130.1 -v ${workdir-`pwd`}:/home/nonroot/workdir remnux/pescanner bash'
-alias remnux_rekall='docker run --rm -it -p 8000:8000 --dns=192.168.130.1 -v ${workdir-`pwd`}:/home/nonroot/files remnux/rekall bash'
+alias remnux_pescanner='docker run --rm -it --dns=192.168.130.1 -v "${workdir:-$(pwd)}":/home/nonroot/workdir remnux/pescanner bash'
+alias remnux_rekall='docker run --rm -it -p 8000:8000 --dns=192.168.130.1 -v "${workdir:-$(pwd)}":/home/nonroot/files remnux/rekall bash'
 alias remnux_thug='sudo docker run --rm -it --dns=192.168.130.1 -v /var/log/docker/thug_logs:/home/thug/logs remnux/thug ./thug.py -F '
-alias remnux_viper='docker run --rm -it --dns=192.168.130.1 -v ${workdir-`pwd`}:/home/nonroot/workdir remnux/viper bash'
-alias remnux_vol='docker run --rm -it -v ${workdir-`pwd`}:/home/nonroot/memdumps remnux/volatility bash'
-alias locate='locate -i -A'
-alias mc='source /usr/lib/mc/mc-wrapper.sh'
+alias remnux_viper='docker run --rm -it --dns=192.168.130.1 -v "${workdir:-$(pwd)}":/home/nonroot/workdir remnux/viper bash'
+alias remnux_vol='docker run --rm -it -v "${workdir:-$(pwd)}":/home/nonroot/memdumps remnux/volatility bash'
+
+# --- text / data helpers ---
+alias ppxml='xmlstarlet format --indent-tab'
 alias evtvd='vd -f csv --skip 5'
-alias rot13='tr "abcdefghijklmnopqrstuvwxyz" "nopqrstuvwxyzabcdefghijklm"'
+alias rot13="tr 'A-Za-z' 'N-ZA-Mn-za-m'"
 alias uniq2='awk '"'"'{a[$0]++; if (a[$0]==1) print $0 }'"'"
-alias pip='pip3'
-alias python='python3'
+
+# --- linux-only tools ---
+if [[ "$OSTYPE" == linux* ]]; then
+  alias locate='locate -i -A'
+  alias ntfsmount='sudo mount -o ro,show_sys_files,streams_interface=windows'
+fi
+[ -f /usr/lib/mc/mc-wrapper.sh ] && alias mc='. /usr/lib/mc/mc-wrapper.sh'
+if command -v usbguard >/dev/null 2>&1; then
+  alias usbb='usbguard list-devices -b'
+  alias usba='usbguard allow-device'
+fi
+if command -v apt-cache >/dev/null 2>&1 && command -v fzf >/dev/null 2>&1; then
+  alias searchpackage="apt-cache search '' | sort | cut --delimiter ' ' --fields 1 | fzf --multi --cycle --reverse --preview 'apt-cache show {1}' | xargs -r sudo apt install -y"
+fi
+
+# --- python / rust tool shims ---
+command -v python3 >/dev/null 2>&1 && alias python='python3'
+command -v pip3 >/dev/null 2>&1 && alias pip='pip3'
+command -v fdfind >/dev/null 2>&1 && alias fd='fdfind'
+
+# --- modern ls: eza > lsd > plain ls ---
+if command -v eza >/dev/null 2>&1; then
+  alias ll='eza -l --icons --group-directories-first'
+  alias lt='eza -lT --level 2 --git-ignore --group-directories-first'
+elif command -v lsd >/dev/null 2>&1; then
+  alias ll='lsd -lAF'
+  alias lt='lsd -lA --tree --depth 2'
+else
+  alias ll='ls -lAF'
+fi
+
+# --- bat as manpager (bat on most distros, batcat on ubuntu/debian) ---
+if command -v bat >/dev/null 2>&1; then
+  export MANPAGER="sh -c 'col -bx | bat -l man -p'"
+elif command -v batcat >/dev/null 2>&1; then
+  alias bat='batcat'
+  export MANPAGER="sh -c 'col -bx | batcat -l man -p'"
+fi
+
+# --- functions ---
 function bindiff() { cmp -l "${1}" "${2}" | gawk '{printf "%s,%02X,%02X\n",$1,strtonum(0$2),strtonum(0$3) }' ; }
 function avscan(){ av="${1:-kaspersky}" ; if [ "${av}" == "update" ] ; then ( docker pull tabledevil/kaspersky ; docker pull tabledevil/sep ; docker pull tabledevil/clamav) ; elif [[ $# -eq 2 ]] ; then dritpw "tabledevil/${av}" "${2}" ; else dritpw "tabledevil/${av}" scan ; fi ;  }
 function dockerfa() {  [[ $# -eq 0 ]] && wpd=$(readlink -f . ) || wpd=$(readlink -f "${1}");  docker run -it --rm -v "${wpd}":/data tabledevil/file-analysis;}
 function docker_killall() { docker rm $(docker stop $(docker ps -a -q --filter ancestor="${1}" --format="{{.ID}}")) ; }
-function dockertags() {     tags=`wget -q https://registry.hub.docker.com/v1/repositories/${1}/tags -O -  | sed -e 's/[][]//g' -e 's/"//g' -e 's/ //g' | tr '}' '\n'  | awk -F: '{print $3}'`;     if [ -n "$2" ] ; then          tags=` echo "${tags}" | grep "$2" `;     fi ;     echo "${tags}" ;     }
-alias pip='pip3'
-alias python='python3'
-alias usbb="usbguard list-devices -b"
-alias usba="usbguard allow-device"
-alias searchpackage="apt-cache search '' | sort | cut --delimiter ' ' --fields 1 | fzf --multi --cycle --reverse --preview 'apt-cache show {1}' | xargs -r sudo apt install -y"
-if (hash exa 2>/dev/null) ; then
-  alias ll='exa -l --git --icons --group-directories-first'
-  alias ll='exa -l --icons --group-directories-first'
-  alias lt='exa -lT --level 2 --git --git-ignore --group-directories-first'
-  alias lt='exa -lT --level 2 --git-ignore --group-directories-first'
-fi
-if (hash bat 2>/dev/null) ; then
-  export MANPAGER="sh -c 'col -bx | bat -l man -p'"
-fi
-function unsetproxy() { unset $(env | grep -Pio '^https?_proxy' | xargs) ; }
-hash fdfind 2>/dev/null && alias fd=fdfind
-alias dissect="dritpw tabledevil/dissect"
+
+# list tags of a docker hub repo, optionally filtered (hub API caps at 100 per page)
+function dockertags() {
+  local repo="${1:?usage: dockertags <repo> [filter]}"
+  [[ "$repo" != */* ]] && repo="library/${repo}"
+  local tags
+  tags=$(curl -fsSL "https://hub.docker.com/v2/repositories/${repo}/tags/?page_size=100" \
+    | python3 -c 'import json,sys; [print(r["name"]) for r in json.load(sys.stdin).get("results",[])]')
+  [ -n "$2" ] && tags=$(echo "${tags}" | grep "$2")
+  echo "${tags}"
+}
+
+function unsetproxy() { unset http_proxy https_proxy HTTP_PROXY HTTPS_PROXY all_proxy ALL_PROXY ftp_proxy FTP_PROXY ; }
 function nsrt() {     local col=$1;     shift;     awk -v c="$col" '{print $c, $0}' "$@" | sort -k1,1 -n | cut -d' ' -f2-; }