imaging: run Verify-And-Heal-Staging at first logon before the network switch

Wire the staging self-heal into the imaging flow so a bay re-pulls any missing
payload while still on the imaging LAN (172.16.9.1), before wait-for-internet
takes it to the production network.

- FlatUnattendW10-shopfloor.xml: insert Verify-And-Heal-Staging.ps1 as
  FirstLogonCommands Order 5 (right after Fetch-StagingPayload Order 4, before
  wait-for-internet); renumber the rest 6-10. Run-ShopfloorSetup stays last and
  is NOT the heal point - it runs post-network-switch when the imaging LAN is
  gone.
- Fetch-StagingPayload.ps1: also pull the small Verify-And-Heal-Staging.ps1 to
  C:\Enrollment so the Order 5 step has it on disk.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

playbook/FlatUnattendW10-shopfloor.xml

@@ -161,26 +161,31 @@
 				</SynchronousCommand>
 				<SynchronousCommand wcm:action="add">
 					<Order>5</Order>
+					<CommandLine>powershell.exe -ExecutionPolicy Bypass -File "C:\Enrollment\Verify-And-Heal-Staging.ps1"</CommandLine>
+					<Description>Verify every imaging payload arrived and re-pull anything missing from the PXE share (incl the CMM bundle + selected-bay backup) while still on the imaging LAN, BEFORE wait-for-internet switches the bay to the production network. Log at C:\Logs\Fetch\.</Description>
+				</SynchronousCommand>
+				<SynchronousCommand wcm:action="add">
+					<Order>6</Order>
 					<CommandLine>powershell.exe -ExecutionPolicy Bypass -File "C:\Enrollment\wait-for-internet.ps1"</CommandLine>
 					<Description>Prompt to connect production network then wait for TCP 443 connectivity</Description>
 				</SynchronousCommand>
 				<SynchronousCommand wcm:action="add">
-					<Order>6</Order>
+					<Order>7</Order>
 					<CommandLine>powershell.exe -ExecutionPolicy Bypass -File "C:\Enrollment\migrate-to-wifi.ps1"</CommandLine>
 					<Description>Migrate from wired to WiFi if WiFi adapter present, else stay on wired</Description>
 				</SynchronousCommand>
 				<SynchronousCommand wcm:action="add">
-					<Order>7</Order>
+					<Order>8</Order>
 					<CommandLine>msiexec.exe /i "C:\PreInstall\installers\powershell7\PowerShell-7.5.4-win-x64.msi" /qn /norestart ADD_PATH=1 USE_MU=0 ENABLE_MU=0 DISABLE_TELEMETRY=1</CommandLine>
 					<Description>Install PowerShell 7 BEFORE PPKG so Intune SetupCredentials Win32App finds pwsh.exe (race fix)</Description>
 				</SynchronousCommand>
 				<SynchronousCommand wcm:action="add">
-					<Order>8</Order>
+					<Order>9</Order>
 					<CommandLine>powershell.exe -ExecutionPolicy Bypass -File "C:\run-enrollment.ps1"</CommandLine>
 					<Description>Run GCCH Enrollment</Description>
 				</SynchronousCommand>
 				<SynchronousCommand wcm:action="add">
-					<Order>9</Order>
+					<Order>10</Order>
 					<CommandLine>powershell.exe -ExecutionPolicy Bypass -File "C:\Enrollment\Run-ShopfloorSetup.ps1"</CommandLine>
 					<Description>Run shopfloor PC type setup</Description>
 				</SynchronousCommand>

playbook/shopfloor-setup/Fetch-StagingPayload.ps1

@@ -142,6 +142,11 @@ $SFD = 'C:\Enrollment\shopfloor-setup'
 $PIN = 'C:\PreInstall'
 
 Fetch-Item -Label 'Run-ShopfloorSetup.ps1' -SrcDir 'shopfloor-setup' -DstDir $ENR -Files @('Run-ShopfloorSetup.ps1')
+# Verify-And-Heal-Staging runs as its own unattend step (right after this Fetch,
+# before the production-network switch) to re-pull anything that did not arrive -
+# including the heavy CMM payload Fetch does not carry. Pull the small script
+# itself here so it is on disk for that step.
+Fetch-Item -Label 'Verify-And-Heal-Staging.ps1' -SrcDir 'shopfloor-setup' -DstDir $ENR -Files @('Verify-And-Heal-Staging.ps1')
 Fetch-Item -Label 'backup_lockdown.bat'    -SrcDir 'shopfloor-setup' -DstDir $SFD -Files @('backup_lockdown.bat')
 Fetch-Item -Label 'Shopfloor baseline'     -SrcDir 'shopfloor-setup\Shopfloor'       -DstDir (Join-Path $SFD 'Shopfloor')       -Recurse
 Fetch-Item -Label 'common'                 -SrcDir 'shopfloor-setup\common'          -DstDir (Join-Path $SFD 'common')          -Recurse