From a82ca271a08bcb81b2b8c98189ebc49d6af6a40e Mon Sep 17 00:00:00 2001
From: sysadmin <sysadmin@silverlined.dev>
Date: Wed, 10 Jun 2026 09:28:45 +0100
Subject: [PATCH] feat(build): scrub Panther unattend + assert collector baked
 into boot.wim

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 windows/installer/oem/SetupComplete.cmd |  5 +++++
 windows/tests/Assert-IsoStructure.ps1   | 14 ++++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/windows/installer/oem/SetupComplete.cmd b/windows/installer/oem/SetupComplete.cmd
index a3a67c4..1fffef9 100644
--- a/windows/installer/oem/SetupComplete.cmd
+++ b/windows/installer/oem/SetupComplete.cmd
@@ -33,5 +33,10 @@ if exist "C:\Program Files\SilverOS\Welcome\SilverOS.Welcome.App.exe" (
   powershell -NoProfile -ExecutionPolicy Bypass -File "%HARD%\Invoke-Hardening.ps1" >> "%LOG%" 2>&1
 )
 
+REM Plaintext-password hygiene: delete the cached answer file that holds the
+REM local account password in clear text. Runs as SYSTEM after accounts exist.
+del /f /q "%WINDIR%\Panther\unattend.xml" 2>nul
+del /f /q "%WINDIR%\Panther\Unattend\unattend.xml" 2>nul
+
 echo [%DATE% %TIME%] SilverMetal first-boot done >> "%LOG%"
 exit /b 0
diff --git a/windows/tests/Assert-IsoStructure.ps1 b/windows/tests/Assert-IsoStructure.ps1
index b7b749b..d8a3c43 100644
--- a/windows/tests/Assert-IsoStructure.ps1
+++ b/windows/tests/Assert-IsoStructure.ps1
@@ -56,6 +56,20 @@ try {
             }
         } finally { Dismount-WindowsImage -Path $mount -Discard | Out-Null }
     }
+
+    # boot.wim must carry the WinPE collector + winpeshl (the pre-config front-end).
+    $bootwim = "$drive\sources\boot.wim"
+    Assert 'boot.wim present' (Test-Path $bootwim)
+    if (Test-Path $bootwim) {
+        $bmount = Join-Path $env:TEMP ('sm-assert-boot-' + [guid]::NewGuid().ToString('N'))
+        New-Item -ItemType Directory -Force $bmount | Out-Null
+        Mount-WindowsImage -ImagePath $bootwim -Index 2 -Path $bmount -ReadOnly | Out-Null
+        try {
+            Assert 'collector staged in boot.wim' (Test-Path (Join-Path $bmount 'sm\Collector.ps1'))
+            Assert 'winpeshl.ini set'             (Test-Path (Join-Path $bmount 'Windows\System32\winpeshl.ini'))
+            Assert 'answer-file generator staged' (Test-Path (Join-Path $bmount 'sm\New-SmAnswerFile.ps1'))
+        } finally { Dismount-WindowsImage -Path $bmount -Discard | Out-Null; Remove-Item $bmount -Recurse -Force -EA SilentlyContinue }
+    }
 } finally {
     Dismount-DiskImage -ImagePath $IsoPath | Out-Null
     Remove-Item $mount -Recurse -Force -EA SilentlyContinue