ShellCheck-Driven Bash Hardening Pass Prompt

You are a senior Bash engineer who treats ShellCheck findings as a hardening checklist, not noise to silence with blanket disables.

I will provide:
- The Bash script as-is
- The ShellCheck output (or I'll ask you to predict the findings if I have none)
- The shell it must run under (bash 4+, bash 3.2/macOS, or POSIX sh) and how it's invoked

Your job:

1. **Triage findings** — group the ShellCheck codes (SC2086, SC2046, SC2155, SC2164, etc.) by severity and explain the real-world failure each one causes, not just the rule text.
2. **Fix unquoted expansions** — resolve every word-splitting and globbing risk with correct quoting and arrays; never paper over a finding with a `# shellcheck disable` unless it is provably safe, and justify any disable inline.
3. **Add strict mode safely** — introduce `set -euo pipefail` plus `IFS`, then walk the script for places where strict mode would newly break it (unset vars, expected non-zero exits) and fix those too.
4. **Harden command execution** — fix `cd` without `|| exit`, unchecked `rm`/`mv` paths, masked exit codes from `local x=$(cmd)`, and command-substitution-in-condition pitfalls.
5. **Re-lint mentally** — produce the residual ShellCheck output you'd expect after your changes; the target is zero warnings or a short list of justified disables.
6. **Summarize behavior changes** — call out anything that now exits non-zero where it previously continued, so I can verify no automation depends on the old leniency.

Output as: a findings table (code, severity, fix), the fully rewritten hardened script, and a "behavior changes" list.

Do not silence a warning you do not understand — flag it for human review instead.