fix(shell): address all shellcheck warnings with -oall

Changes across docker/openemr (7.0.4, 7.0.5, 8.0.0, binary, flex),
packages/standard, and utilities:

Shell style improvements:
- Quote variables to prevent word splitting (SC2086)
- Use `find -exec {} +` instead of `find -print0 | xargs -0`
- Use arithmetic syntax `(( ))` instead of `[ ]` for numeric comparisons
- Use single `=` in `[[ ]]` tests instead of `==`
- Use single quotes for literal strings
- Use `mkdir -p` instead of `[[ ! -d ]] && mkdir`
- Use POSIX parameter expansion for optional args: `${VAR:+-flag} ${VAR:+"$VAR"}`
- Use `:` instead of `true` for no-op commands
- Use `echo` for simple strings, `printf` only when format specifiers needed
- Replace manual ANSI escapes with tput

Bug fixes:
- Fix misplaced quote in chown command (7.0.4, 8.0.0 devtoolsLibrary.source)

Legitimate shellcheck disables with comments:
- SC2086: CONFIGURATION variable intentionally word-splits
- SC2154: Variables passed as environment variables to container
- SC2310: Functions in retry loops with set -e are intentional
- SC2016: Literal $ in warning messages

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: kojiromike

docker/openemr/7.0.4/openemr.sh

@@ -1,4 +1,7 @@
 #!/bin/sh
+# shellcheck disable=SC2154,SC2310
+# SC2154: Variables are passed as environment variables to the Docker container
+# SC2310: Functions used in retry loops with set -e are intentional
 # Allows customization of openemr credentials, preventing the need for manual setup
 #  (Note can force a manual setup by setting MANUAL_SETUP to 'yes')
 #  - Required settings for auto installation are MYSQL_HOST and MYSQL_ROOT_PASS
@@ -28,24 +31,27 @@ auto_setup() {
     find . -not -perm 600 -exec chmod 600 {} \+
 
     #create temporary file cache directory for auto_configure.php to use
-    TMP_FILE_CACHE_LOCATION="/tmp/php-file-cache"
-    mkdir ${TMP_FILE_CACHE_LOCATION}
+    TMP_FILE_CACHE_LOCATION='/tmp/php-file-cache'
+    mkdir "${TMP_FILE_CACHE_LOCATION}"
 
     #create auto_configure.ini to be able to leverage opcache for operations
-    touch auto_configure.ini
-    echo "opcache.enable=1" >> auto_configure.ini
-    echo "opcache.enable_cli=1" >> auto_configure.ini
-    echo "opcache.file_cache=${TMP_FILE_CACHE_LOCATION}" >> auto_configure.ini
-    echo "opcache.file_cache_only=1" >> auto_configure.ini
-    echo "opcache.file_cache_consistency_checks=1" >> auto_configure.ini
-    echo "opcache.enable_file_override=1" >> auto_configure.ini
-    echo "opcache.max_accelerated_files=1000000" >> auto_configure.ini
+    {
+        echo 'opcache.enable=1'
+        echo 'opcache.enable_cli=1'
+        echo "opcache.file_cache=${TMP_FILE_CACHE_LOCATION}"
+        echo 'opcache.file_cache_only=1'
+        echo 'opcache.file_cache_consistency_checks=1'
+        echo 'opcache.enable_file_override=1'
+        echo 'opcache.max_accelerated_files=1000000'
+    } > auto_configure.ini
 
     #run auto_configure
+    # CONFIGURATION is intentionally unquoted - it contains space-separated key=value pairs
+    # shellcheck disable=SC2086
     php auto_configure.php -c auto_configure.ini -f ${CONFIGURATION} || return 1
 
     #remove temporary file cache directory and auto_configure.ini
-    rm -r ${TMP_FILE_CACHE_LOCATION}
+    rm -r "${TMP_FILE_CACHE_LOCATION}"
     rm auto_configure.ini
 
     echo "OpenEMR configured."
@@ -75,7 +81,7 @@ fi
 if [ "${SWARM_MODE}" = "yes" ]; then
     # atomically test for leadership
     set -o noclobber
-    { > /var/www/localhost/htdocs/openemr/sites/docker-leader ; } &> /dev/null || AUTHORITY=no
+    { : > /var/www/localhost/htdocs/openemr/sites/docker-leader ; } > /dev/null 2>&1 || AUTHORITY=no
     set +o noclobber
 
     if [ "${AUTHORITY}" = "no" ] &&
@@ -241,18 +247,18 @@ if
 
     if ${UPGRADE_YES}; then
         # Need to do the upgrade
-        echo "Attempting upgrade"
+        echo 'Attempting upgrade'
         c=${DOCKER_VERSION_SITES}
         while [ "${c}" -le "${DOCKER_VERSION_ROOT}" ]; do
             if [ "${c}" -gt "${DOCKER_VERSION_SITES}" ] ; then
                 echo "Start: Processing fsupgrade-${c}.sh upgrade script"
-                sh /root/fsupgrade-${c}.sh
+                sh "/root/fsupgrade-${c}.sh"
                 echo "Completed: Processing fsupgrade-${c}.sh upgrade script"
             fi
             c=$(( c + 1 ))
         done
-        echo -n ${DOCKER_VERSION_ROOT} > /var/www/localhost/htdocs/openemr/sites/default/docker-version
-        echo "Completed upgrade"
+        printf '%s' "${DOCKER_VERSION_ROOT}" > /var/www/localhost/htdocs/openemr/sites/default/docker-version
+        echo 'Completed upgrade'
     fi
 fi
 
@@ -269,8 +275,8 @@ if [ "${REDIS_SERVER}" != "" ] &&
     #    version 5.3.7 .
     if [ "${PHPREDIS_BUILD}" != "" ]; then
       apk update
-      apk del --no-cache php${PHP_VERSION_ABBR}-redis
-      apk add --no-cache git php${PHP_VERSION_ABBR}-dev php${PHP_VERSION_ABBR}-pecl-igbinary gcc make g++
+      apk del --no-cache "php${PHP_VERSION_ABBR}-redis"
+      apk add --no-cache git "php${PHP_VERSION_ABBR}-dev" "php${PHP_VERSION_ABBR}-pecl-igbinary" gcc make g++
       mkdir /tmpredis
       cd /tmpredis
       git clone https://github.com/phpredis/phpredis.git
@@ -282,11 +288,12 @@ if [ "${REDIS_SERVER}" != "" ] &&
       phpize83
       # note for php 8.3, needed to change from './configure --enable-redis-igbinary' to:
       ./configure --with-php-config=/usr/bin/php-config83 --enable-redis-igbinary
-      make -j $(nproc --all)
+      nproc_count=$(nproc --all)
+      make -j "${nproc_count}"
       make install
-      echo "extension=redis" > /etc/php${PHP_VERSION_ABBR}/conf.d/20_redis.ini
+      echo 'extension=redis' > "/etc/php${PHP_VERSION_ABBR}/conf.d/20_redis.ini"
       rm -fr /tmpredis/phpredis
-      apk del --no-cache git php${PHP_VERSION_ABBR}-dev gcc make g++
+      apk del --no-cache git "php${PHP_VERSION_ABBR}-dev" gcc make g++
       cd /var/www/localhost/htdocs/openemr
     fi
 
@@ -327,7 +334,7 @@ if [ "${REDIS_SERVER}" != "" ] &&
 
     # Configure PHP to use Redis for sessions via conf.d include file
     {
-        printf 'session.save_handler = redis\n'
+        echo 'session.save_handler = redis'
         printf 'session.save_path = "%s"\n' "${REDIS_PATH}"
     } > "/etc/php${PHP_VERSION_ABBR}/conf.d/redis-session.ini"
 
@@ -436,14 +443,16 @@ if [ "${XDEBUG_IDE_KEY}" != "" ] ||
    sh xdebug.sh
    #also need to turn off opcache since it can not be turned on with xdebug
    if [ ! -f /etc/php-opcache-jit-configured ]; then
-      echo "opcache.enable=0" >> /etc/php${PHP_VERSION_ABBR}/php.ini
+      echo 'opcache.enable=0' >> "/etc/php${PHP_VERSION_ABBR}/php.ini"
       touch /etc/php-opcache-jit-configured
    fi
 else
    # Configure opcache jit if Xdebug is not being used (note opcache is already on, so just need to add setting(s) to php.ini that are different from the default setting(s))
    if [ ! -f /etc/php-opcache-jit-configured ]; then
-      echo "opcache.jit=tracing" >> /etc/php${PHP_VERSION_ABBR}/php.ini
-      echo "opcache.jit_buffer_size=100M" >> /etc/php${PHP_VERSION_ABBR}/php.ini
+      {
+          echo 'opcache.jit=tracing'
+          echo 'opcache.jit_buffer_size=100M'
+      } >> "/etc/php${PHP_VERSION_ABBR}/php.ini"
       touch /etc/php-opcache-jit-configured
    fi
 fi

docker/openemr/7.0.4/ssl.sh

@@ -1,4 +1,6 @@
 #!/bin/sh
+# shellcheck disable=SC2154
+# SC2154: Variables are passed as environment variables to the Docker container
 #
 # configures SSL
 # optionally configures Let's Encrypt
@@ -25,28 +27,27 @@ if [ ! -f /etc/ssl/docker-selfsigned-configured ]; then
 fi
 
 if [ "${DOMAIN}" != "" ]; then
-        if [ "${EMAIL}" != "" ]; then
-        EMAIL="-m ${EMAIL}"
-    else
-        echo "WARNING: SETTING AN EMAIL VIA \$EMAIL is HIGHLY RECOMMENDED IN ORDER TO"
-        echo "         RECEIVE ALERTS FROM LETSENCRYPT ABOUT YOUR SSL CERTIFICATE."
+    if [ "${EMAIL}" = "" ]; then
+        # shellcheck disable=SC2016
+        echo 'WARNING: SETTING AN EMAIL VIA $EMAIL is HIGHLY RECOMMENDED IN ORDER TO'
+        echo '         RECEIVE ALERTS FROM LETSENCRYPT ABOUT YOUR SSL CERTIFICATE.'
     fi
     # if a domain has been set, set up LE and target those certs
 
-    if ! [ -f /etc/letsencrypt/live/${DOMAIN}/fullchain.pem ]; then
+    if ! [ -f "/etc/letsencrypt/live/${DOMAIN}/fullchain.pem" ]; then
         /usr/sbin/httpd -k start
         sleep 2
-        certbot certonly --webroot -n -w /var/www/localhost/htdocs/openemr/ -d ${DOMAIN} ${EMAIL} --agree-tos
+        certbot certonly --webroot -n -w /var/www/localhost/htdocs/openemr/ -d "${DOMAIN}" ${EMAIL:+-m} ${EMAIL:+"${EMAIL}"} --agree-tos
         /usr/sbin/httpd -k stop
-        echo "1 23  *   *   *   certbot renew -q --post-hook \"httpd -k graceful\"" >> /etc/crontabs/root
+        echo '1 23  *   *   *   certbot renew -q --post-hook "httpd -k graceful"' >> /etc/crontabs/root
     fi
 
     # run letsencrypt as a daemon and reference the correct cert
     if [ ! -f /etc/ssl/docker-letsencrypt-configured ]; then
         rm -f /etc/ssl/certs/webserver.cert.pem
         rm -f /etc/ssl/private/webserver.key.pem
-        ln -s /etc/letsencrypt/live/${DOMAIN}/fullchain.pem /etc/ssl/certs/webserver.cert.pem
-        ln -s /etc/letsencrypt/live/${DOMAIN}/privkey.pem /etc/ssl/private/webserver.key.pem
+        ln -s "/etc/letsencrypt/live/${DOMAIN}/fullchain.pem" /etc/ssl/certs/webserver.cert.pem
+        ln -s "/etc/letsencrypt/live/${DOMAIN}/privkey.pem" /etc/ssl/private/webserver.key.pem
         touch /etc/ssl/docker-letsencrypt-configured
     fi
 

docker/openemr/7.0.4/upgrade/fsupgrade-1.sh

@@ -1,103 +1,61 @@
 #!/bin/sh
 # Upgrade number 1 for OpenEMR docker
 #  From prior version 5.0.1 (needed for the sql upgrade script).
-priorOpenemrVersion="5.0.1"
+priorOpenemrVersion='5.0.1'
 
-echo "Start: Upgrade to docker-version 1"
+echo 'Start: Upgrade to docker-version 1'
 
 # Perform codebase upgrade on each directory in sites/
-for dir in $(find /var/www/localhost/htdocs/openemr/sites/* -maxdepth 0 -type d ); do
-    sitename=$(basename "${dir}")
+for dir in /var/www/localhost/htdocs/openemr/sites/*/; do
+    sitename=${dir%/}
+    sitename=${sitename##*/}
 
     # Ensure have all directories
     echo "Start: Ensure have all directories in ${sitename}"
-    if [ ! -d ${dir}/documents/certificates ]; then
-        mkdir -p ${dir}/documents/certificates
-    fi
-    if [ ! -d ${dir}/documents/couchdb ]; then
-        mkdir -p ${dir}/documents/couchdb
-    fi
-    if [ ! -d ${dir}/documents/custom_menus/patient_menus ]; then
-        mkdir -p ${dir}/documents/custom_menus/patient_menus
-    fi
-    if [ ! -d ${dir}/documents/edi ]; then
-        mkdir -p ${dir}/documents/edi
-    fi
-    if [ ! -d ${dir}/documents/era ]; then
-        mkdir -p ${dir}/documents/era
-    fi
-    if [ ! -d ${dir}/documents/letter_templates ]; then
-        mkdir -p ${dir}/documents/letter_templates
-    fi
-    if [ ! -d ${dir}/documents/logs_and_misc/methods ]; then
-        mkdir -p ${dir}/documents/logs_and_misc/methods
-    fi
-    if [ ! -d ${dir}/documents/mpdf/pdf_tmp ]; then
-        mkdir -p ${dir}/documents/mpdf/pdf_tmp
-    fi
-    if [ ! -d ${dir}/documents/onsite_portal_documents/templates ]; then
-        mkdir -p ${dir}/documents/onsite_portal_documents/templates
-    fi
-    if [ ! -d ${dir}/documents/procedure_results ]; then
-        mkdir -p ${dir}/documents/procedure_results
-    fi
-    if [ ! -d ${dir}/documents/smarty/gacl ]; then
-        mkdir -p ${dir}/documents/smarty/gacl
-    fi
-    if [ ! -d ${dir}/documents/smarty/main ]; then
-        mkdir -p ${dir}/documents/smarty/main
-    fi
-    if [ ! -d ${dir}/documents/temp ]; then
-        mkdir -p ${dir}/documents/temp
-    fi
+    mkdir -p "${dir}documents/certificates" \
+             "${dir}documents/couchdb" \
+             "${dir}documents/custom_menus/patient_menus" \
+             "${dir}documents/edi" \
+             "${dir}documents/era" \
+             "${dir}documents/letter_templates" \
+             "${dir}documents/logs_and_misc/methods" \
+             "${dir}documents/mpdf/pdf_tmp" \
+             "${dir}documents/onsite_portal_documents/templates" \
+             "${dir}documents/procedure_results" \
+             "${dir}documents/smarty/gacl" \
+             "${dir}documents/smarty/main" \
+             "${dir}documents/temp"
     echo "Completed: Ensure have all directories in ${sitename}"
 
     # Update new directory structure
+    # Move contents to new location (silently skip if dir missing/empty), then remove old dir
     echo "Start: Update new directory structure in ${sitename}"
-    if [ -d ${dir}/era ]; then
-        if [ "$(ls ${dir}/era)" ]; then
-            mv -f ${dir}/era/* ${dir}/documents/era/
-        fi
-        rm -rf ${dir}/era
-    fi
-    if [ -d ${dir}/edi ]; then
-        if [ "$(ls ${dir}/edi)" ]; then
-            mv -f ${dir}/edi/* ${dir}/documents/edi/
-        fi
-        rm -rf ${dir}/edi
-    fi
-    if [ -d ${dir}/letter_templates ]; then
-        if [ "$(ls ${dir}/letter_templates)" ]; then
-            if [ -f ${dir}/letter_templates/custom_pdf.php ]; then
-                mv -f ${dir}/letter_templates/custom_pdf.php ${dir}/
-            fi
-            mv -f ${dir}/letter_templates/* ${dir}/documents/letter_templates/
-        fi
-        rm -rf ${dir}/letter_templates
-    fi
-    if [ -d ${dir}/procedure_results ]; then
-        if [ "$(ls ${dir}/procedure_results)" ]; then
-            mv -f ${dir}/procedure_results/* ${dir}/documents/procedure_results/
-        fi
-        rm -rf ${dir}/procedure_results
-    fi
+    mv -f "${dir}era"/* "${dir}documents/era/" 2>/dev/null || true
+    rm -rf "${dir}era/"
+    mv -f "${dir}edi"/* "${dir}documents/edi/" 2>/dev/null || true
+    rm -rf "${dir}edi/"
+    mv -f "${dir}letter_templates/custom_pdf.php" "${dir}" 2>/dev/null || true
+    mv -f "${dir}letter_templates"/* "${dir}documents/letter_templates/" 2>/dev/null || true
+    rm -rf "${dir}letter_templates/"
+    mv -f "${dir}procedure_results"/* "${dir}documents/procedure_results/" 2>/dev/null || true
+    rm -rf "${dir}procedure_results/"
     echo "Completed: Update new directory structure in ${sitename}"
 
     # Clear smarty cache
     echo "Start: Clear smarty cache in ${sitename}"
-    rm -fr ${dir}/documents/smarty/gacl/*
-    rm -fr ${dir}/documents/smarty/main/*
+    rm -fr "${dir}documents/smarty/gacl"/* "${dir}documents/smarty/main"/*
     echo "Completed: Clear smarty cache in ${sitename}"
 done
 
 # Fix permissions
-echo "Start: Fix permissions"
+echo 'Start: Fix permissions'
 chown -R apache:root /var/www/localhost/htdocs/openemr/sites/
-echo "Completed: Fix permissions"
+echo 'Completed: Fix permissions'
 
 # Perform database upgrade on each directory in sites/
-for dirdata in $(find /var/www/localhost/htdocs/openemr/sites/* -maxdepth 0 -type d ); do
-    sitename=$(basename "${dirdata}")
+for dir in /var/www/localhost/htdocs/openemr/sites/*/; do
+    sitename=${dir%/}
+    sitename=${sitename##*/}
 
     # Upgrade database
     echo "Start: Upgrade database for ${sitename} from ${priorOpenemrVersion}"
@@ -111,4 +69,4 @@ for dirdata in $(find /var/www/localhost/htdocs/openemr/sites/* -maxdepth 0 -typ
     echo "Completed: Upgrade database for ${sitename} from ${priorOpenemrVersion}"
 done
 
-echo "Completed: Upgrade to docker-version 1"
+echo 'Completed: Upgrade to docker-version 1'