CMM/DODA: fix DODA paths + CyberArk EPM policy doc

- 09-Setup-CMM.ps1: Step 2.5 ACL list targeted C:\Program Files\DODA (a path
  that never exists), so the BUILTIN\Users write grant on DODA was silently
  skipped. Corrected to C:\Apps\DODA, where Install-DODA.ps1 actually extracts.
- Install-DODA.ps1: create C:\Apps\DODA\PreProcess after extract. The DODA
  zip unpacks flat without it; MergeFiles.exe expects it and crashed with
  DirectoryNotFoundException (MergeFiles.GetDoDAFolder) when absent.
- docs/cyberark-cmm-doda-policy.md: EPM admin reference for elevating the CMM
  report toolchain. CyberArk EPM elevation is per-process and not inherited, so
  the external tools PC-DMIS spawns (MergeFiles/PCDToIGES/RotateProbeVector/
  DovetailAnalysis) run un-elevated and fail. Doc gives the Application Group
  (by SHA-256), the Elevate policy, scope, verify steps, and the
  CREATE_PDF_FROM_RTF.BAS rework that drops Word/Reader from the elevation set.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

playbook/shopfloor-setup/gea-shopfloor-cmm/09-Setup-CMM.ps1

@@ -180,7 +180,7 @@ $pcdmisDirs = @(
     'C:\Program Files\Hexagon\PC-DMIS 2026.1 64-bit',
     'C:\ProgramData\Hexagon',
     'C:\Program Files (x86)\General Electric\goCMM',
-    'C:\Program Files\DODA'
+    'C:\Apps\DODA'
 )
 foreach ($dir in $pcdmisDirs) {
     if (-not (Test-Path -LiteralPath $dir)) {