style(shell): clear ShellCheck warnings in 7.0.4 openemr.sh and ssl.sh (#655)

## Summary

Slice 4 of the openemr-devops ShellCheck cleanup (follow-up to #649,
alongside #652 / #653). Resolves all 19 warnings in
`docker/openemr/7.0.4/openemr.sh` and both warnings in
`docker/openemr/7.0.4/ssl.sh`.

## Changes

- **New `docker/openemr/7.0.4/env.stub`** declares the 14 environment
variables both scripts read from the Docker runtime (set by
docker-compose `environment:` or `-e` flags): `K8S`, `SWARM_MODE`,
`MANUAL_SETUP`, `REDIS_SERVER`, `PHPREDIS_BUILD`, `PHP_VERSION_ABBR`,
`REDIS_USERNAME`, `REDIS_PASSWORD`, `REDIS_X509`, `REDIS_TLS`,
`XDEBUG_IDE_KEY`, `XDEBUG_ON`, `DOMAIN`, `OPERATOR`. Each is declared
with `: "${VAR:=}"` so the stub is a no-op when sourced and never
overrides real env values.
- **`# shellcheck source=docker/openemr/7.0.4/env.stub` directive**
added to both scripts, followed by `. /root/env.stub 2>/dev/null ||
true`. The directive path is repo-root-relative (matching how CI invokes
shellcheck and matching the pattern from #653); the runtime guard keeps
the script working inside the container image, where the stub is not
shipped. Clears all SC2154.
- **`openemr.sh` line 80 (SC2188 + SC3020):** replace `{ > FILE ; } &>
/dev/null` with `: > FILE 2>/dev/null`. POSIX-compliant no-op write with
redirected stderr; same intent (try to create the leader marker, fall
back to `AUTHORITY=no` on failure).
- **`openemr.sh` line 256 (SC3037):** replace `echo -n`
(POSIX-undefined) with `printf '%s'`.
- **`openemr.sh` line 287 (SC2312):** hoist `nproc --all` into a `jobs`
variable so `make -j "${jobs}"` no longer masks nproc's exit status.
- **`openemr.sh` noclobber block:** expand the "atomically test for
leadership" comment into a TOCTOU-vs-`O_CREAT|O_EXCL` explanation per
review.
- **`openemr.sh` SC2310 ×3** at the retry predicates `while swarm_wait`
(line 99) and `while ! auto_setup` (line 241): resolved with targeted `#
shellcheck disable=SC2310` plus a comment explaining the intent. The
predicates' failure is the loop-termination signal, not a script-fatal
condition, so the `set -e` suppression inside the `while` / `!` contexts
is the intended behaviour — a structural rewrite would invert the
retry-loop semantics.

## Verification

```
$ shellcheck --check-sourced --external-sources \
    docker/openemr/7.0.4/openemr.sh \
    docker/openemr/7.0.4/ssl.sh
```

is clean (exit 0).

## Test plan

- [x] `bash -n` clean on both scripts
- [x] `shellcheck --check-sourced --external-sources` clean on both
scripts
- [ ] CI ShellCheck workflow passes on this PR

Author: kojiromike

docker/openemr/7.0.4/env.stub

@@ -0,0 +1,24 @@
+# shellcheck shell=sh
+# Stub file for ShellCheck SC2154 (vars referenced but not assigned).
+# These variables come from the Docker container environment, set by
+# docker-compose's `environment:` block or `-e` flags on `docker run`.
+# This file exists solely to tell ShellCheck the names are intentional;
+# it is not sourced at runtime.
+
+# openemr.sh
+: "${K8S:=}"
+: "${SWARM_MODE:=}"
+: "${MANUAL_SETUP:=}"
+: "${REDIS_SERVER:=}"
+: "${PHPREDIS_BUILD:=}"
+: "${PHP_VERSION_ABBR:=}"
+: "${REDIS_USERNAME:=}"
+: "${REDIS_PASSWORD:=}"
+: "${REDIS_X509:=}"
+: "${REDIS_TLS:=}"
+: "${XDEBUG_IDE_KEY:=}"
+: "${XDEBUG_ON:=}"
+
+# ssl.sh
+: "${DOMAIN:=}"
+: "${OPERATOR:=}"

docker/openemr/7.0.4/openemr.sh

@@ -12,6 +12,18 @@ set -e
 # shellcheck source=SCRIPTDIR/utilities/devtoolsLibrary.source
 . /root/devtoolsLibrary.source
 
+# Environment variables used by this script are supplied by the Docker runtime
+# (docker-compose `environment:` or `-e` flags). The env.stub file declares
+# them for ShellCheck's benefit using `: "${VAR:=}"` assignments that leave
+# real runtime values untouched. The stub is not shipped into the container
+# image; the `if false` keeps the `.` statically visible to ShellCheck's
+# source-follower without ever running it — BusyBox ash treats `.` as a
+# special builtin and exits the shell on file-not-found even with `|| true`.
+if false; then
+    # shellcheck source=docker/openemr/7.0.4/env.stub
+    . /root/env.stub
+fi
+
 swarm_wait() {
     if [ ! -f /var/www/localhost/htdocs/openemr/sites/docker-completed ]; then
         # true
@@ -75,13 +87,23 @@ elif [ "${K8S}" = "worker" ]; then
 fi
 
 if [ "${SWARM_MODE}" = "yes" ]; then
-    # atomically test for leadership
+    # Atomically test for leadership. Multiple swarm containers race through this block,
+    # and exactly one must become the leader. A `[ -f file ]` check followed by a create
+    # has a TOCTOU race — every racer sees the file missing, every racer creates it, every
+    # racer declares itself leader. Instead, `set -o noclobber` makes the redirect below
+    # use `open(O_CREAT|O_EXCL)`: the kernel serializes the creation, exactly one redirect
+    # succeeds, and every other container's redirect fails with EEXIST and falls into the
+    # `|| AUTHORITY=no` branch. One winner by construction.
     set -o noclobber
-    { > /var/www/localhost/htdocs/openemr/sites/docker-leader ; } &> /dev/null || AUTHORITY=no
+    : > /var/www/localhost/htdocs/openemr/sites/docker-leader 2>/dev/null || AUTHORITY=no
     set +o noclobber
 
     if [ "${AUTHORITY}" = "no" ] &&
        [ ! -f /var/www/localhost/htdocs/openemr/sites/docker-completed ]; then
+        # swarm_wait is a retry predicate: its failure is the loop termination
+        # signal, not a script-fatal condition. Disabling set -e in the while
+        # condition is intentional.
+        # shellcheck disable=SC2310
         while swarm_wait; do
             echo "Waiting for the docker-leader to finish configuration before proceeding."
             sleep 10;
@@ -224,6 +246,10 @@ if [ "${AUTHORITY}" = "yes" ]; then
        [ "${MANUAL_SETUP}" != "yes" ]; then
 
         echo "Running quick setup!"
+        # auto_setup is a retry predicate: the loop drives it to success and
+        # the ! inverts its exit for the exit condition. Disabling set -e in
+        # both the ! and while contexts is intentional.
+        # shellcheck disable=SC2310
         while ! auto_setup; do
             echo "Couldn't set up. Any of these reasons could be what's wrong:"
             echo " - You didn't spin up a MySQL container or connect your OpenEMR container to a mysql instance"
@@ -253,7 +279,7 @@ if
             fi
             c=$(( c + 1 ))
         done
-        echo -n "${DOCKER_VERSION_ROOT}" > /var/www/localhost/htdocs/openemr/sites/default/docker-version
+        printf '%s' "${DOCKER_VERSION_ROOT}" > /var/www/localhost/htdocs/openemr/sites/default/docker-version
         echo "Completed upgrade"
     fi
 fi
@@ -284,7 +310,8 @@ if [ "${REDIS_SERVER}" != "" ] &&
       phpize83
       # note for php 8.3, needed to change from './configure --enable-redis-igbinary' to:
       ./configure --with-php-config=/usr/bin/php-config83 --enable-redis-igbinary
-      make -j "$(nproc --all)"
+      jobs=$(nproc --all)
+      make -j "${jobs}"
       make install
       echo "extension=redis" > "/etc/php${PHP_VERSION_ABBR}/conf.d/20_redis.ini"
       rm -fr /tmpredis/phpredis

docker/openemr/7.0.4/ssl.sh

@@ -8,6 +8,18 @@
 #
 set -e
 
+# Environment variables used by this script are supplied by the Docker runtime
+# (docker-compose `environment:` or `-e` flags). The env.stub file declares
+# them for ShellCheck's benefit using `: "${VAR:=}"` assignments that leave
+# real runtime values untouched. The stub is not shipped into the container
+# image; the `if false` keeps the `.` statically visible to ShellCheck's
+# source-follower without ever running it — BusyBox ash treats `.` as a
+# special builtin and exits the shell on file-not-found even with `|| true`.
+if false; then
+    # shellcheck source=docker/openemr/7.0.4/env.stub
+    . /root/env.stub
+fi
+
  if ! [ -f /etc/ssl/private/selfsigned.key.pem ]; then
     openssl req -x509 -newkey rsa:4096 \
     -keyout /etc/ssl/private/selfsigned.key.pem \