Fix shellcheck warnings across all scripts

Quote all variable expansions in setup-bridge.sh, teardown-bridge.sh,
and install.sh. Fix redirect order and unused variable in test-suite.sh.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

scripts/install.sh

@@ -61,9 +61,9 @@ if ! command -v firecracker &>/dev/null; then
     curl -fSL -o /tmp/firecracker.tgz \
         "https://github.com/firecracker-microvm/firecracker/releases/download/${FC_VERSION}/firecracker-${FC_VERSION}-${ARCH}.tgz"
     tar xzf /tmp/firecracker.tgz -C /tmp
-    sudo cp /tmp/release-${FC_VERSION}-${ARCH}/firecracker-${FC_VERSION}-${ARCH} /usr/local/bin/firecracker
-    sudo cp /tmp/release-${FC_VERSION}-${ARCH}/jailer-${FC_VERSION}-${ARCH} /usr/local/bin/jailer
-    rm -rf /tmp/firecracker.tgz /tmp/release-${FC_VERSION}-${ARCH}
+    sudo cp "/tmp/release-${FC_VERSION}-${ARCH}/firecracker-${FC_VERSION}-${ARCH}" /usr/local/bin/firecracker
+    sudo cp "/tmp/release-${FC_VERSION}-${ARCH}/jailer-${FC_VERSION}-${ARCH}" /usr/local/bin/jailer
+    rm -rf /tmp/firecracker.tgz "/tmp/release-${FC_VERSION}-${ARCH}"
     log "Firecracker $(firecracker --version 2>&1 | head -1) installed"
 else
     log "Firecracker already installed: $(firecracker --version 2>&1 | head -1)"

scripts/setup-bridge.sh

@@ -10,21 +10,21 @@ SUBNET="172.16.0.0/24"
 EXT_IFACE=$(ip route show default | awk '{print $5; exit}')
 
 echo "Creating bridge ${BRIDGE}..."
-ip link add ${BRIDGE} type bridge 2>/dev/null || echo "Bridge already exists"
-ip addr add ${BRIDGE_IP} dev ${BRIDGE} 2>/dev/null || echo "Address already set"
-ip link set ${BRIDGE} up
+ip link add "${BRIDGE}" type bridge 2>/dev/null || echo "Bridge already exists"
+ip addr add "${BRIDGE_IP}" dev "${BRIDGE}" 2>/dev/null || echo "Address already set"
+ip link set "${BRIDGE}" up
 
 echo "Enabling IP forwarding..."
 sysctl -w net.ipv4.ip_forward=1
 
 echo "Setting up NAT via ${EXT_IFACE}..."
-iptables -t nat -C POSTROUTING -s ${SUBNET} -o ${EXT_IFACE} -j MASQUERADE 2>/dev/null || \
-  iptables -t nat -A POSTROUTING -s ${SUBNET} -o ${EXT_IFACE} -j MASQUERADE
+iptables -t nat -C POSTROUTING -s "${SUBNET}" -o "${EXT_IFACE}" -j MASQUERADE 2>/dev/null || \
+  iptables -t nat -A POSTROUTING -s "${SUBNET}" -o "${EXT_IFACE}" -j MASQUERADE
 
-iptables -C FORWARD -i ${BRIDGE} -o ${EXT_IFACE} -j ACCEPT 2>/dev/null || \
-  iptables -A FORWARD -i ${BRIDGE} -o ${EXT_IFACE} -j ACCEPT
+iptables -C FORWARD -i "${BRIDGE}" -o "${EXT_IFACE}" -j ACCEPT 2>/dev/null || \
+  iptables -A FORWARD -i "${BRIDGE}" -o "${EXT_IFACE}" -j ACCEPT
 
-iptables -C FORWARD -i ${EXT_IFACE} -o ${BRIDGE} -m state --state RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || \
-  iptables -A FORWARD -i ${EXT_IFACE} -o ${BRIDGE} -m state --state RELATED,ESTABLISHED -j ACCEPT
+iptables -C FORWARD -i "${EXT_IFACE}" -o "${BRIDGE}" -m state --state RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || \
+  iptables -A FORWARD -i "${EXT_IFACE}" -o "${BRIDGE}" -m state --state RELATED,ESTABLISHED -j ACCEPT
 
 echo "Done. Bridge ${BRIDGE} ready."

scripts/teardown-bridge.sh

@@ -9,12 +9,12 @@ SUBNET="172.16.0.0/24"
 EXT_IFACE=$(ip route show default | awk '{print $5; exit}')
 
 echo "Removing NAT rules..."
-iptables -t nat -D POSTROUTING -s ${SUBNET} -o ${EXT_IFACE} -j MASQUERADE 2>/dev/null || true
-iptables -D FORWARD -i ${BRIDGE} -o ${EXT_IFACE} -j ACCEPT 2>/dev/null || true
-iptables -D FORWARD -i ${EXT_IFACE} -o ${BRIDGE} -m state --state RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || true
+iptables -t nat -D POSTROUTING -s "${SUBNET}" -o "${EXT_IFACE}" -j MASQUERADE 2>/dev/null || true
+iptables -D FORWARD -i "${BRIDGE}" -o "${EXT_IFACE}" -j ACCEPT 2>/dev/null || true
+iptables -D FORWARD -i "${EXT_IFACE}" -o "${BRIDGE}" -m state --state RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || true
 
 echo "Removing bridge ${BRIDGE}..."
-ip link set ${BRIDGE} down 2>/dev/null || true
-ip link del ${BRIDGE} 2>/dev/null || true
+ip link set "${BRIDGE}" down 2>/dev/null || true
+ip link del "${BRIDGE}" 2>/dev/null || true
 
 echo "Done."