From 08e42719ee098c59adc84dc1755dac952077a63a Mon Sep 17 00:00:00 2001
From: "Aaron D. Lee" <aaron.daniel.lee@mgial.com>
Date: Sat, 3 Jan 2026 23:10:50 -0500
Subject: [PATCH] Fix WiFi sanitization for NetworkManager (RPi OS Bookworm+)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Modern Raspberry Pi OS uses NetworkManager instead of wpa_supplicant.
WiFi connections are stored in /etc/NetworkManager/system-connections/.

- Add removal of NetworkManager WiFi connections
- Update validation to check both locations
- Fixes WiFi credentials being baked into distributable images

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 rpi/sanitize-for-image.sh | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/rpi/sanitize-for-image.sh b/rpi/sanitize-for-image.sh
index e98b1e7..2a22f79 100755
--- a/rpi/sanitize-for-image.sh
+++ b/rpi/sanitize-for-image.sh
@@ -121,6 +121,17 @@ EOF
         rm -f "$BOOT_MOUNT/wpa_supplicant.conf" 2>/dev/null || true
         echo "  Removed boot partition WiFi config"
     fi
+
+    # Remove NetworkManager connections (RPi OS Bookworm+)
+    if [ -d /etc/NetworkManager/system-connections ]; then
+        # Remove all WiFi connections (files containing type=wifi)
+        for conn in /etc/NetworkManager/system-connections/*; do
+            if [ -f "$conn" ] && grep -q "type=wifi" "$conn" 2>/dev/null; then
+                rm -f "$conn"
+                echo "  Removed NetworkManager: $(basename "$conn")"
+            fi
+        done
+    fi
 fi
 
 # =============================================================================
@@ -320,7 +331,22 @@ fi
 
 # Check WiFi (only for full sanitize)
 if [ "$SOFT_RESET" = false ]; then
+    WIFI_FOUND=false
+
+    # Check wpa_supplicant
     if grep -q "psk=" /etc/wpa_supplicant/wpa_supplicant.conf 2>/dev/null; then
+        WIFI_FOUND=true
+    fi
+
+    # Check NetworkManager
+    for conn in /etc/NetworkManager/system-connections/*; do
+        if [ -f "$conn" ] && grep -q "type=wifi" "$conn" 2>/dev/null; then
+            WIFI_FOUND=true
+            break
+        fi
+    done
+
+    if [ "$WIFI_FOUND" = true ]; then
         echo -e "  ${RED}[FAIL]${NC} WiFi credentials still present"
         VALIDATION_ERRORS=$((VALIDATION_ERRORS + 1))
     else