diff --git a/README.md b/README.md
index 3af3f72..9003838 100644
--- a/README.md
+++ b/README.md
@@ -52,48 +52,33 @@ Developer machines are the new attack surface. They hold high-value assets — G
 
 ### Install from release (recommended)
 
-Download the latest binary for your platform from [GitHub Releases](https://github.com/step-security/dev-machine-guard/releases):
+Download the latest binary for your platform from [GitHub Releases](https://github.com/step-security/dev-machine-guard/releases). Release asset filenames include the version, so the snippets below resolve the latest tag first.
 
-**macOS:**
+**macOS** (universal binary — Apple Silicon and Intel)
 
 ```bash
-# Apple Silicon (M1/M2/M3/M4)
-curl -sSL https://github.com/step-security/dev-machine-guard/releases/latest/download/stepsecurity-dev-machine-guard_darwin_arm64 -o stepsecurity-dev-machine-guard
+VERSION=$(curl -fsSL https://api.github.com/repos/step-security/dev-machine-guard/releases/latest | grep '"tag_name"' | cut -d'"' -f4 | sed 's/^v//')
+curl -fsSL "https://github.com/step-security/dev-machine-guard/releases/download/v${VERSION}/stepsecurity-dev-machine-guard-${VERSION}-darwin" -o stepsecurity-dev-machine-guard
 chmod +x stepsecurity-dev-machine-guard
-
-# Intel Mac
-curl -sSL https://github.com/step-security/dev-machine-guard/releases/latest/download/stepsecurity-dev-machine-guard_darwin_amd64 -o stepsecurity-dev-machine-guard
-chmod +x stepsecurity-dev-machine-guard
-
-# Run the scan
 ./stepsecurity-dev-machine-guard
 ```
 
-**Windows:**
+**Windows** (PowerShell — signed build)
 
 ```powershell
-# x64
-Invoke-WebRequest -Uri "https://github.com/step-security/dev-machine-guard/releases/latest/download/stepsecurity-dev-machine-guard_windows_amd64.exe" -OutFile "stepsecurity-dev-machine-guard.exe"
-
-# ARM64
-Invoke-WebRequest -Uri "https://github.com/step-security/dev-machine-guard/releases/latest/download/stepsecurity-dev-machine-guard_windows_arm64.exe" -OutFile "stepsecurity-dev-machine-guard.exe"
-
-# Run the scan
+$version = (Invoke-RestMethod https://api.github.com/repos/step-security/dev-machine-guard/releases/latest).tag_name.TrimStart('v')
+$arch = if ($env:PROCESSOR_ARCHITECTURE -eq 'ARM64') { 'arm64' } else { 'amd64' }
+Invoke-WebRequest -Uri "https://github.com/step-security/dev-machine-guard/releases/download/v$version/stepsecurity-dev-machine-guard-$version-windows_${arch}_signed.exe" -OutFile "stepsecurity-dev-machine-guard.exe"
 .\stepsecurity-dev-machine-guard.exe
 ```
 
-**Linux:**
+**Linux**
 
 ```bash
-# x64
-curl -sSL https://github.com/step-security/dev-machine-guard/releases/latest/download/stepsecurity-dev-machine-guard_linux_amd64 -o stepsecurity-dev-machine-guard
-chmod +x stepsecurity-dev-machine-guard
-
-# ARM64
-curl -sSL https://github.com/step-security/dev-machine-guard/releases/latest/download/stepsecurity-dev-machine-guard_linux_arm64 -o stepsecurity-dev-machine-guard
+VERSION=$(curl -fsSL https://api.github.com/repos/step-security/dev-machine-guard/releases/latest | grep '"tag_name"' | cut -d'"' -f4 | sed 's/^v//')
+ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')
+curl -fsSL "https://github.com/step-security/dev-machine-guard/releases/download/v${VERSION}/stepsecurity-dev-machine-guard-${VERSION}-linux_${ARCH}" -o stepsecurity-dev-machine-guard
 chmod +x stepsecurity-dev-machine-guard
-
-# Run the scan
 ./stepsecurity-dev-machine-guard
 ```
 
diff --git a/docs/community-mode.md b/docs/community-mode.md
index e0ef814..4198c3f 100644
--- a/docs/community-mode.md
+++ b/docs/community-mode.md
@@ -17,25 +17,32 @@ make build
 
 Or download a pre-built binary without cloning:
 
-**macOS:**
+Release asset filenames include the version, so the snippets below resolve the latest tag first.
+
+**macOS** (universal binary — Apple Silicon and Intel)
 
 ```bash
-curl -sSL https://github.com/step-security/dev-machine-guard/releases/latest/download/stepsecurity-dev-machine-guard_darwin_arm64 -o stepsecurity-dev-machine-guard
+VERSION=$(curl -fsSL https://api.github.com/repos/step-security/dev-machine-guard/releases/latest | grep '"tag_name"' | cut -d'"' -f4 | sed 's/^v//')
+curl -fsSL "https://github.com/step-security/dev-machine-guard/releases/download/v${VERSION}/stepsecurity-dev-machine-guard-${VERSION}-darwin" -o stepsecurity-dev-machine-guard
 chmod +x stepsecurity-dev-machine-guard
 ./stepsecurity-dev-machine-guard
 ```
 
-**Windows:**
+**Windows** (PowerShell — signed build)
 
 ```powershell
-Invoke-WebRequest -Uri "https://github.com/step-security/dev-machine-guard/releases/latest/download/stepsecurity-dev-machine-guard_windows_amd64.exe" -OutFile "stepsecurity-dev-machine-guard.exe"
+$version = (Invoke-RestMethod https://api.github.com/repos/step-security/dev-machine-guard/releases/latest).tag_name.TrimStart('v')
+$arch = if ($env:PROCESSOR_ARCHITECTURE -eq 'ARM64') { 'arm64' } else { 'amd64' }
+Invoke-WebRequest -Uri "https://github.com/step-security/dev-machine-guard/releases/download/v$version/stepsecurity-dev-machine-guard-$version-windows_${arch}_signed.exe" -OutFile "stepsecurity-dev-machine-guard.exe"
 .\stepsecurity-dev-machine-guard.exe
 ```
 
-**Linux:**
+**Linux**
 
 ```bash
-curl -sSL https://github.com/step-security/dev-machine-guard/releases/latest/download/stepsecurity-dev-machine-guard_linux_amd64 -o stepsecurity-dev-machine-guard
+VERSION=$(curl -fsSL https://api.github.com/repos/step-security/dev-machine-guard/releases/latest | grep '"tag_name"' | cut -d'"' -f4 | sed 's/^v//')
+ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')
+curl -fsSL "https://github.com/step-security/dev-machine-guard/releases/download/v${VERSION}/stepsecurity-dev-machine-guard-${VERSION}-linux_${ARCH}" -o stepsecurity-dev-machine-guard
 chmod +x stepsecurity-dev-machine-guard
 ./stepsecurity-dev-machine-guard
 ```