Yes, we could do something like this. Maybe we add a new flag to the buildlet exec handler like "?detect-tmp-leak=1" and if so, it scans tmp before & after the run, and only complains if the command exited with success and any files in $TMPDIR (or equivalent) are new from the beginning of the run.
It seems if we only concerned about Go code leaking temporary files, we
just need to create a new directory for each sub-repo, and set that as
$TMPDIR (%TMP% on Windows), so that we don't need to record files
in global $TMPDIR before each run (and we can also run multiple tests