diff --git a/sso-mfa/k8s/lldap/dry-run-nonroot-user.sh b/sso-mfa/k8s/lldap/dry-run-nonroot-user.sh
index 344adba..39313f7 100755
--- a/sso-mfa/k8s/lldap/dry-run-nonroot-user.sh
+++ b/sso-mfa/k8s/lldap/dry-run-nonroot-user.sh
@@ -38,17 +38,23 @@ DO_LOCK_OFFBOARD=true
 KEEP_USER=false
 CLEANUP_ONLY=""
 
-shift $(( $# > 3 ? 3 : $# ))
-while [[ $# -gt 0 ]]; do
-  case "$1" in
-    --actor) ACTOR="$2"; shift 2 ;;
-    --scope) SCOPE="$2"; shift 2 ;;
-    --no-lockoffboard) DO_LOCK_OFFBOARD=false; shift ;;
-    --keep-user) KEEP_USER=true; shift ;;
-    --cleanup-only) CLEANUP_ONLY="$2"; shift 2 ;;
-    *) echo "Unknown arg $1"; exit 1 ;;
-  esac
-done
+# Handle --cleanup-only early (can be first arg)
+if [[ "${1:-}" == "--cleanup-only" ]]; then
+  CLEANUP_ONLY="${2:-t06-*}"
+  shift 2 || true
+else
+  shift $(( $# > 3 ? 3 : $# ))
+  while [[ $# -gt 0 ]]; do
+    case "$1" in
+      --actor) ACTOR="$2"; shift 2 ;;
+      --scope) SCOPE="$2"; shift 2 ;;
+      --no-lockoffboard) DO_LOCK_OFFBOARD=false; shift ;;
+      --keep-user) KEEP_USER=true; shift ;;
+      --cleanup-only) CLEANUP_ONLY="$2"; shift 2 ;;
+      *) echo "Unknown arg $1"; exit 1 ;;
+    esac
+  done
+fi
 
 if [[ -n "$CLEANUP_ONLY" ]]; then
   echo "=== Cleanup-only mode for pattern $CLEANUP_ONLY ==="
@@ -127,7 +133,7 @@ chmod 600 "$SECRETS_TMP/lldap/secrets.env"
 # From usage: ./create-user.sh ... [lldap-url] [secrets-dir]
 # So we can pass the temp as secrets-dir.
 
-"$KUBECTL"=/home/worsch/.local/bin/kubectl ./create-user.sh \
+KUBECTL=/home/worsch/.local/bin/kubectl ./create-user.sh \
   "$USERNAME" "$EMAIL" "$DISPLAY" --test \
   "$LLDAP_URL" "$SECRETS_TMP" 2>&1 | cat
 
diff --git a/tools/security-bootstrap-console/security_bootstrap_console.py b/tools/security-bootstrap-console/security_bootstrap_console.py
index 194f45f..a8067fe 100755
--- a/tools/security-bootstrap-console/security_bootstrap_console.py
+++ b/tools/security-bootstrap-console/security_bootstrap_console.py
@@ -4825,7 +4825,8 @@ def main(argv: list[str] | None = None) -> int:
         pat = getattr(args, "pattern", "t06-*") if hasattr(args, "pattern") else "t06-*"
         print("Delegating cleanup for pattern", pat, "to orchestrator...")
         import subprocess, os
-        script = "sso-mfa/k8s/lldap/dry-run-nonroot-user.sh"
+        script = os.path.join(os.path.dirname(__file__), "..", "..", "sso-mfa", "k8s", "lldap", "dry-run-nonroot-user.sh")
+        script = os.path.abspath(script)
         subprocess.call(["bash", script, "--cleanup-only", pat])
         return 0
     if args.command == "handover-checklist":