branding: enforce passwordless root via passwd -d -R; remove direct passwd/shadow edits

initramfs: switch to passwd -d -R in scripts/lib/initramfs.sh:initramfs_finalize_customization() for shadow-aware passwordless root (aligned with 9423b708 intent), drop sed and chpasswd paths, and add validation diagnostics. common: normalize INSTALL_DIR/COMPONENTS_DIR/KERNEL_DIR/DIST_DIR to absolute paths after sourcing config to prevent validation resolving under kernel/current. Dockerfile: include shadow (for passwd/chpasswd), ensure openssl and openssl-dev present; remove perl. config: introduce ZEROOS_PASSWORDLESS_ROOT default true and comment password vars. docs: NOTES.md updated with diagnostics and flow.

scripts/lib/initramfs.sh

@@ -580,14 +580,31 @@ function initramfs_finalize_customization() {
     # Branding guard (default disabled). Enable by setting ZEROOS_BRANDING=true (or ZEROOS_REBRANDING=true)
     local _branding="${ZEROOS_BRANDING:-${ZEROOS_REBRANDING:-false}}"
     
+    # Diagnostics: branding variables and environment
+    log_info "Branding debug: ZEROOS_BRANDING=${ZEROOS_BRANDING:-unset} ZEROOS_REBRANDING=${ZEROOS_REBRANDING:-unset} _branding=${_branding}"
+    log_info "Branding debug: PROJECT_ROOT=${PROJECT_ROOT:-unset} BUILD_CONF=${BUILD_CONF:-unset} PWD=$(pwd)"
+    
+    # Diagnostics: which auth files exist and their perms/owners
     if [[ "${_branding}" == "true" ]]; then
-        # Remove root password for passwordless login
-        log_info "Branding enabled: removing root password for passwordless login"
-        if [[ -f "${initramfs_dir}/etc/passwd" ]]; then
-            safe_execute sed -i 's/^root:[^:]*:/root::/' "${initramfs_dir}/etc/passwd"
-            log_info "✓ Root password removed"
+        # Passwordless root (legacy behavior aligned with 9423b708): remove root password
+        if command_exists "passwd"; then
+            log_info "Branding enabled: deleting root password via passwd -d -R '${initramfs_dir}'"
+            safe_execute chroot ${initramfs_dir} passwd -d  root
+            log_info "✓ Root password deleted (passwordless root)"
         else
-            log_warn "/etc/passwd not found, skipping password removal"
+            log_error "passwd not available in build container; install 'shadow' package to enable password deletion."
+        fi
+
+        # Diagnostics: sanitized previews (post-change)
+        if [[ -f "${initramfs_dir}/etc/passwd" ]]; then
+            local _passwd_post
+            _passwd_post=$(grep '^root:' "${initramfs_dir}/etc/passwd" 2>/dev/null | sed 's/^\(root:\)[^:]*:/\1(x):/')
+            log_info "Preview /etc/passwd (post): ${_passwd_post:-<no root entry>}"
+        fi
+        if [[ -f "${initramfs_dir}/etc/shadow" ]]; then
+            local _shadow_post
+            _shadow_post=$(grep '^root:' "${initramfs_dir}/etc/shadow" 2>/dev/null | sed 's/^\(root:\)[^:]*:/\1(***):/')
+            log_info "Preview /etc/shadow (post): ${_shadow_post:-<no root entry>}"
         fi
 
         # Update /etc/motd to Zero-OS
@@ -774,7 +791,12 @@ function initramfs_create_cpio() {
 function initramfs_validate() {
     local initramfs_dir_in="$1"
     local initramfs_dir
+
+    # Diagnostics to catch path/WD issues during validation
+    log_info "Validation debug: input='${initramfs_dir_in}' PWD=$(pwd) PROJECT_ROOT=${PROJECT_ROOT:-unset} INSTALL_DIR=${INSTALL_DIR:-unset}"
+
     initramfs_dir=$(resolve_path "${initramfs_dir_in}")
+    log_info "Validation debug: resolved initramfs_dir='${initramfs_dir}'"
     
     section_header "Validating initramfs contents"