Fix reboot race + dispatcher owns all reboots

Two related fixes from the pipeline audit:

1. Stage-Dispatcher race condition (critical):
   Run-ShopfloorSetup.ps1 called shutdown /r /t 10 and the dispatcher
   had to write the next stage + register RunOnce within that 10-second
   window. If disk I/O was slow, the reboot fired before RunOnce was
   registered, and the chain broke.

   Fix: dispatcher now cancels Run-ShopfloorSetup's pending reboot
   (shutdown /a) immediately after it returns, then advances the stage
   and registers RunOnce with no time pressure, then initiates its own
   shutdown /r /t 5.

2. Dispatcher owns all reboots:
   Run-ShopfloorSetup.ps1 now checks the -FromDispatcher flag at the
   end. When called by the dispatcher, it schedules shutdown /r /t 30
   as a safety net (the dispatcher cancels it immediately). When called
   standalone (manual run or legacy FirstLogonCommands), it reboots
   directly with /t 10 as before.

   This means the dispatcher has full control over the reboot lifecycle:
   cancel -> advance stage -> register RunOnce -> reboot. No racing.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

playbook/shopfloor-setup/Run-ShopfloorSetup.ps1

@@ -208,5 +208,14 @@ Write-Host "================================================================"
 # Flush transcript before shutdown so the log file is complete on next boot
 try { Stop-Transcript | Out-Null } catch {}
 
-Write-Host "Rebooting in 10 seconds..."
-shutdown /r /t 10
+if ($FromDispatcher) {
+    # Dispatcher owns the reboot — it cancels ours and reboots on its own
+    # terms after advancing the stage and re-registering RunOnce. We still
+    # schedule one as a safety net (dispatcher cancels it immediately).
+    Write-Host "Returning to Stage-Dispatcher for reboot."
+    shutdown /r /t 30
+} else {
+    # Standalone run (manual or legacy FirstLogonCommands) — reboot directly.
+    Write-Host "Rebooting in 10 seconds..."
+    shutdown /r /t 10
+}