What this is. The deferred-findings register from the 2026-07-07 read-only script-quality sweep, recorded so the items survive session compaction. Nothing in this file has been executed; every fix listed here is a DOCFIX candidate to be delivered later under the standard change-delivery loop (harness green, repo-lint clean, changelog entry with revert). No identifier numbers are assigned in this register -- the batch that fixes an item assigns its number via the next-free rule at delivery time.
Sweep coverage. 110 files reviewed (scripts/, tests/, .claude/hooks/). Tools available on the review host: bash and python3 only; shellcheck and pyflakes were absent, so findings come from manual read plus targeted fixture probes, not static analysis.
Batch note. The sweep's E/R-class items approved for immediate fix were implemented in the fix batch of this date and are NOT listed here, except the two previously-known items marked FIXED-THIS-BATCH below.
vr_json (scripts/lib-validate.sh, ~line 52) creates _VR_ERR="$(mktemp)" on every call and never removes it. vr_err_tail legitimately needs the file after return, but nothing cleans it up afterwards: one leaked tempfile per vr_json call, per check, per validation run. Fix shape: a single per-process stderr file reused across calls, or an EXIT trap in the library's sourcing contract.
| head -1 SIGPIPE / extract-then-check class in phase-05/06Live-pipe openstack ... | head -1 captures that use the fragment without whole-output validation:
image list --tag ... | head -1)image list --name ... | head -1)port list --server ... | head -1)floating ip list --port ... | head -1) Same class the house style forbids (SIGPIPE race on the producer; a partial failure yields a plausible-looking fragment). Fix shape: capture whole output, validate shape (uuid regex), then select the first row.The helm-install payload run on the conductor (~line 153) does D=$(mktemp -d); cd "$D" and never removes the directory: one leaked tempdir (plus tarball) on the remote unit per graft run. Fix shape: trap cleanup inside the remote payload.
--long + silent empty images.jsonLine ~184: openstack image list --long -f json </dev/null > "$DIR/images.json" 2>/dev/null || true. Two defects: (a) the deprecated --long flag only adds stderr noise (and 2>/dev/null then masks REAL errors, against the stderr-separation rule); (b) a failed list silently commits an empty/missing images.json into the captured BOM. Fix shape: drop --long, stderr to a tempfile surfaced on failure, fail the capture loudly if the JSON is empty or unparseable.
Harnesses that mktemp without a trap cleanup (leak per run):
W=$(mktemp -d); trap 'rm -rf "$W"' EXIT pattern the other 34 harnesses already use.printf | while pipeline subshell, so failed trust deletes could never raise exit 22. Fixed in this date's batch (here-string loop; regression case in tests/tenant-offboard).auth_url= from the cred file with the literal demoted to a KEYSTONE_VIP-overridable fallback. NOTE: the tenant-acceptance.sh foil_env sibling of this class (addendum 28 FOUND-NOT-FIXED list) remains OPEN and is NOT covered by this batch.Transferred verbatim from the sweep report at integration (2026-07-07); effort estimates are the sweep's (S/M/L). Operator has NOT ruled on S1-S5/ S7/S8 -- proposals only.
vr_appcred_env <file> for the app-cred variant. (The offboard tenant_env auth-url bug was fixed narrowly in this batch; this proposal remains the wider consolidation.)coe cluster list captures (inventory ~line 160; delete loop and wait loop in Phase A) still use 2>&1: a stderr warning line would word-split into coe cluster delete argv and keep the wait loop from ever seeing empty (budget exit 21). Same class as the Phase C fix; was not in the approved batch scope. The offboard harness deliberately excludes coe commands from its stderr-noise scenario until this is fixed.domain show/token issue captures (fail-closed class). tenant-offboard.sh (~line 133, sweep-mode preamble) and tenant-onboard.sh stage subshells validate $(... 2>&1) captures by shape/equality. Failure direction is CLOSED (safe), but a benign stderr warning on a noisy CLI would abort with a false precondition/auth failure. Cosmetic-risk cleanup candidate, same stdout-only pattern.ASCII + LF.