Install-FromManifest: add Hash detection for content-versioned files

Needed for eMxInfo.txt (site-specific eDNC config). The file has no
DisplayVersion in the registry and no canonical MSI; we ship it as a
standalone secret on the SFLD share and key drift correction off its
SHA256. When the yearly replacement drops, bump the hash in
machineapps-manifest.json and every Standard-Machine PC catches up on
next logon.

Patched Install-FromManifest in all three copies (CMM, common, Standard)
for consistency. Also adds the eMxInfo.txt entry to the Standard
machineapps-manifest template and an Install-eMxInfo.cmd template that
copies the file into both 32/64-bit eDNC Program Files paths.

playbook/shopfloor-setup/CMM/lib/Install-FromManifest.ps1

@@ -123,6 +123,20 @@ function Test-AppInstalled {
             "File" {
                 return Test-Path $App.DetectionPath
             }
+            "Hash" {
+                # Compare SHA256 of the on-disk file against the manifest's
+                # expected value. Used for content-versioned files that do not
+                # expose a DisplayVersion (secrets like eMxInfo.txt). Bumping
+                # DetectionValue in the manifest and replacing the file on the
+                # share is the entire update workflow.
+                if (-not (Test-Path $App.DetectionPath)) { return $false }
+                if (-not $App.DetectionValue) {
+                    Write-InstallLog "  Hash detection requires DetectionValue - treating as not installed" "WARN"
+                    return $false
+                }
+                $actual = (Get-FileHash -Path $App.DetectionPath -Algorithm SHA256 -ErrorAction Stop).Hash
+                return ($actual -ieq $App.DetectionValue)
+            }
             default {
                 Write-InstallLog "  Unknown detection method: $($App.DetectionMethod)" "WARN"
                 return $false