imaging: run Verify-And-Heal-Staging at first logon before the network switch

Wire the staging self-heal into the imaging flow so a bay re-pulls any missing
payload while still on the imaging LAN (172.16.9.1), before wait-for-internet
takes it to the production network.

- FlatUnattendW10-shopfloor.xml: insert Verify-And-Heal-Staging.ps1 as
  FirstLogonCommands Order 5 (right after Fetch-StagingPayload Order 4, before
  wait-for-internet); renumber the rest 6-10. Run-ShopfloorSetup stays last and
  is NOT the heal point - it runs post-network-switch when the imaging LAN is
  gone.
- Fetch-StagingPayload.ps1: also pull the small Verify-And-Heal-Staging.ps1 to
  C:\Enrollment so the Order 5 step has it on disk.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

playbook/shopfloor-setup/Fetch-StagingPayload.ps1

@@ -142,6 +142,11 @@ $SFD = 'C:\Enrollment\shopfloor-setup'
 $PIN = 'C:\PreInstall'
 
 Fetch-Item -Label 'Run-ShopfloorSetup.ps1' -SrcDir 'shopfloor-setup' -DstDir $ENR -Files @('Run-ShopfloorSetup.ps1')
+# Verify-And-Heal-Staging runs as its own unattend step (right after this Fetch,
+# before the production-network switch) to re-pull anything that did not arrive -
+# including the heavy CMM payload Fetch does not carry. Pull the small script
+# itself here so it is on disk for that step.
+Fetch-Item -Label 'Verify-And-Heal-Staging.ps1' -SrcDir 'shopfloor-setup' -DstDir $ENR -Files @('Verify-And-Heal-Staging.ps1')
 Fetch-Item -Label 'backup_lockdown.bat'    -SrcDir 'shopfloor-setup' -DstDir $SFD -Files @('backup_lockdown.bat')
 Fetch-Item -Label 'Shopfloor baseline'     -SrcDir 'shopfloor-setup\Shopfloor'       -DstDir (Join-Path $SFD 'Shopfloor')       -Recurse
 Fetch-Item -Label 'common'                 -SrcDir 'shopfloor-setup\common'          -DstDir (Join-Path $SFD 'common')          -Recurse