docs: add README files for all script categories and update project docs

Add Getting Started sections and correct usage commands to all category
READMEs (TypeScript, Python, Bash). Update top-level README.md and
CLAUDE.md to reflect the Bash language, correct project structure, and
accurate make run instructions. Remove completed DOCS_TODO.md.

bash/cohort/README.md

@@ -0,0 +1,75 @@
+# Cohort Bash Scripts
+
+Shell scripts for managing GitHub team membership during the NHCarrigan spring cohort programme. These scripts handle one-off team changes that are too complex or bulk-oriented to do manually through the GitHub web interface.
+
+All scripts use the `gh` CLI for GitHub API calls. Run `gh auth login` before using them.
+
+## Getting Started
+
+Run scripts via the interactive runner from the project root:
+
+```bash
+make run
+# Select: Bash → cohort → <script>
+```
+
+Or run directly:
+
+```bash
+bash bash/cohort/<script-name>.sh
+```
+
+## Table of Contents
+
+- [remove\_github\_members.sh](#remove_github_memberssh)
+- [update\_github\_teams.sh](#update_github_teamssh)
+
+---
+
+## remove_github_members.sh
+
+Removes a hardcoded list of inactive members from their GitHub organisation teams in the `nhcarrigan-spring-2026-cohort` organisation. Covers both standard team membership and `-leaders` sub-team membership where applicable.
+
+### Usage
+
+```bash
+bash bash/cohort/remove_github_members.sh
+```
+
+### Environment Variables
+
+None. Uses `gh` CLI authentication — run `gh auth login` first.
+
+### Data Files
+
+None. Member usernames and team slugs are hardcoded in the script.
+
+### Notes
+
+- The member list and team assignments are specific to a point-in-time removal event. Update the script with the correct usernames before each use.
+- Each removal command uses `|| true` so a single failure (e.g. member already removed) does not abort the entire script.
+
+---
+
+## update_github_teams.sh
+
+Orchestrates a multi-step GitHub team restructure: removes all members from a dissolved team, clears its leaders sub-team, then adds each member to their new team. Also promotes a member to leader in their new team.
+
+### Usage
+
+```bash
+bash bash/cohort/update_github_teams.sh
+```
+
+### Environment Variables
+
+None. Uses `gh` CLI authentication — run `gh auth login` first.
+
+### Data Files
+
+None. All member usernames, team slugs, and role assignments are hardcoded in the script.
+
+### Notes
+
+- This script is specific to a one-off team restructure (Jade Jasmine dissolution). Update the member list and team assignments before each use.
+- The script exits immediately on any error (`set -e`). If a step fails, check whether the member or team already exists in the target state.

bash/yubikey/README.md

@@ -0,0 +1,109 @@
+# YubiKey Scripts
+
+Shell scripts for managing YubiKey hardware security keys on WSL (Windows Subsystem for Linux). Covers SSH key extraction, Git signing key configuration, and fixing USB permission issues that commonly arise in WSL environments.
+
+All scripts require a YubiKey to be attached and forwarded to WSL via `usbipd`. The `ykman` and `yubico-piv-tool` packages must be installed.
+
+## Getting Started
+
+Run scripts via the interactive runner from the project root:
+
+```bash
+make run
+# Select: Bash → yubikey → <script>
+```
+
+Or run directly:
+
+```bash
+bash bash/yubikey/<script-name>.sh
+```
+
+## Table of Contents
+
+- [add-keys-to-git.sh](#add-keys-to-gitsh)
+- [fix-yubikey-perms.sh](#fix-yubikey-permssh)
+- [list-yubikey-ssh-keys.sh](#list-yubikey-ssh-keyssh)
+
+---
+
+## add-keys-to-git.sh
+
+Extracts the SSH public keys from three YubiKey PIV slots and writes them as Git commit signing keys to the corresponding per-context Git config files. Run this after replacing or re-provisioning a YubiKey.
+
+| Slot | Context | Config file |
+|---|---|---|
+| 9a | Personal | `~/.git-naomi` |
+| 9c | Deepgram | `~/.git-dg` |
+| 9e | FreeCodeCamp | `~/.git-fcc` |
+
+### Usage
+
+```bash
+bash bash/yubikey/add-keys-to-git.sh
+```
+
+### Environment Variables
+
+None.
+
+### Data Files
+
+None.
+
+### Notes
+
+- After running, you must upload the new public keys to GitHub (and any other services that verify commit signatures) manually.
+- Requires `ykman` and `ssh-keygen` to be available in your PATH.
+
+---
+
+## fix-yubikey-perms.sh
+
+Repairs YubiKey connectivity in WSL by fixing USB device permissions, restarting smart card services, and applying a polkit policy override that allows smart card access in WSL's "inactive" session context.
+
+### Usage
+
+```bash
+bash bash/yubikey/fix-yubikey-perms.sh
+```
+
+### Environment Variables
+
+None.
+
+### Data Files
+
+None.
+
+### Notes
+
+- Run this script when `ykman` or `yubico-piv-tool` fail with "Failed to connect" or similar errors after attaching the YubiKey via `usbipd`.
+- The polkit fix modifies `/usr/share/polkit-1/actions/org.debian.pcsc-lite.policy` (a backup is created automatically on first run).
+- Requires `sudo` access. Several steps use `sudo` to modify system files and restart services.
+- Requires `lsusb`, `yubico-piv-tool`, `systemctl`, and `gpgconf` to be available.
+
+---
+
+## list-yubikey-ssh-keys.sh
+
+Scans PIV slots 9a, 9c, 9d, and 9e on the connected YubiKey and prints any SSH public keys found, along with the certificate subject label if one is present.
+
+### Usage
+
+```bash
+bash bash/yubikey/list-yubikey-ssh-keys.sh
+```
+
+### Environment Variables
+
+None.
+
+### Data Files
+
+None.
+
+### Notes
+
+- Requires `ykman`, `ssh-keygen`, and `openssl` to be available.
+- Writes a temporary file to `/tmp/yubi_tmp.pem` during execution; it is cleaned up automatically after each slot is processed.