Stage 2a: unified GE-Enforce framework + share-root mirror

Consolidates per-type enforcers (CMM, Keyence, Machine, Common, Acrobat)
into one dispatcher driven by pc-type.txt + site-config and a share-side
manifest layout. Same share is now the single source of truth for routine
software updates without re-imaging.

Runtime:
  common/GE-Enforce.ps1           SYSTEM scheduled task. Reads
                                   common/manifest.json plus optional
                                   <pcType>/manifest.json and
                                   <pcType-subType>/manifest.json.
                                   Dispatches each entry through the lib.
                                   Writes _outputs/logs/<hostname>/status.json
                                   on the share after each cycle for fleet
                                   monitoring.
  common/Register-GEEnforce.ps1   Task registration. Triggers: AtLogOn +
                                   every 5 min (jittered per-PC from
                                   hostname hash) + daily at 05:45,
                                   13:45, 21:45 EST shift windows.
                                   Unregisters legacy per-type tasks on
                                   install so the two coexist at most for
                                   the duration of a single enforce cycle.
  common/Deploy-GEEnforce.ps1     Retrofit helper for already-imaged PCs
                                   (admin-run; copies runtime + registers
                                   task + optional immediate trigger).

Library (common/lib/Install-FromManifest.ps1):
  - New Type values: PS1, BAT, File, Registry, INF
  - New DetectionMethod values: Always, MarkerFile, ValueMatches, pnputil
  - TargetHostnames filter (exact + -like wildcards, ANDed with PCTypes)
  - Schema version check (logs WARN on manifest newer than lib MAJOR)
  - Auto-writes MarkerFile on successful one-shot PS1/BAT/CMD runs
  - MSI log scan on failure surfaces meaningful install errors
  - Lib version bumped 2.0 -> 2.1 for TargetHostnames

Observability:
  common/monitor-fleet-status.py  Scans _outputs/logs/*/status.json for
                                   stale check-ins, failed scopes, and
                                   version drift. Respects scope (dir-name),
                                   PCTypes, and TargetHostnames filters so
                                   entries excluded from a PC do not
                                   false-flag as drift.

Regression harness:
  common/test/                    Parameterized VM harness + README
                                   covering every action type plus
                                   rollback, bad/missing SFLD creds, and
                                   schema versioning.

Imaging integration:
  Run-ShopfloorSetup.ps1 now stages GE-Enforce.ps1 and lib to
  C:\Program Files\GE\Shopfloor\ and invokes Register-GEEnforce.ps1
  at the end of setup. Legacy Register-CommonEnforce invocation is
  kept for the transition; it and the legacy per-type enforcer files
  are dead code once Register-GEEnforce runs and will be removed in a
  dedicated cleanup pass.

Standard-Machine manifest:
  eDNC entry bumped 6.4.3 -> 6.4.5. DetectionValue pinned to the
  4-part FileVersion 6.4.5.0 verified against a fresh install in the
  Win11 analyzer VM. UDC DetectionValue pinned to 1.0.34 (registry
  stores 3-part for UDC; verified live).

scripts/mirror-from-gold.sh:
  Restructured around share-root rsyncs (one pass per Samba share)
  to close gaps in the prior per-subdir layout: winpeapps/_shared/
  Applications (7.5 GB of Adobe + fonts + Java + Office + OpenText
  + printdrivers + wireless + Zscaler), additional winpeapps image
  types, and enrollment flat-layout root files. Adds
  --skip-clonezilla and --skip-reports.

Verified end-to-end in the Win11 analyzer VM:
  - Every action Type and DetectionMethod round-tripped
  - PCTypes filter (Oracle excluded on Shopfloor, Firefox included
    on Shopfloor and DESKTOP-*, excluded elsewhere)
  - TargetHostnames filter (exact, wildcard, no-match)
  - Upgrade path: XML hash bump + fleet re-copy
  - Rollback path: history-archive restore propagates via enforcer,
    fleet converges back without per-PC intervention
  - Status writeback + monitor script drift detection
  - Graceful degradation on bad creds, missing creds, share
    unreachable (all exit 0, log clearly, retry next cycle)

Not in this commit (follow-ups):
  - Retire legacy per-type *-Enforce.ps1 files and simplify
    09-Setup-*.ps1 scripts (coordinated multi-file cleanup)
  - Stage 2b: InUseCheck close-and-reopen, ApplyMode gating,
    UpdateWindow, .apply-now.txt sentinel, BITS pre-staging,
    1618 mutex retry, PostInstallCheck, Uninstall action
  - Management app (manifest CRUD + deploy + rollback + fleet view)
  - ShopFloor autologon persistence bug (deferred for next imaging
    attempt with live registry evidence)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

playbook/shopfloor-setup/Run-ShopfloorSetup.ps1

@@ -286,13 +286,47 @@ Unregister-ScheduledTask -TaskName 'GE Re-enable Wired NICs' -Confirm:$false -Er
 }
 
 $commonSetupDir = Join-Path $PSScriptRoot 'common'
+
+# --- Register the unified GE-Enforce scheduled task ---
+# Replaces the per-type legacy enforcers (CMM-Enforce, Keyence-Enforce,
+# Machine-Enforce, Common-Enforce, Acrobat-Enforce). Register-GEEnforce.ps1
+# unregisters any of those legacy tasks before creating the new one, so
+# running this after the legacy Register-* invocations below is harmless
+# and race-free. Once a future repo cleanup retires the legacy Register-*
+# scripts entirely, those invocations below can be removed. Until then we
+# accept a brief moment of duplicate registration that Register-GEEnforce
+# itself resolves.
+$registerGE = Join-Path $commonSetupDir 'Register-GEEnforce.ps1'
+if (Test-Path -LiteralPath $registerGE) {
+    Write-Host ""
+    Write-Host "=== Registering unified GE Shopfloor enforcer ==="
+    try {
+        $enforcerRuntime = Join-Path $commonSetupDir 'GE-Enforce.ps1'
+        $libSource       = Join-Path $commonSetupDir 'lib\Install-FromManifest.ps1'
+        # Stage enforcer runtime so the scheduled task can reach it post-imaging.
+        $runtimeDir   = 'C:\Program Files\GE\Shopfloor'
+        $runtimeLib   = Join-Path $runtimeDir 'lib'
+        foreach ($d in @($runtimeDir, $runtimeLib)) {
+            if (-not (Test-Path $d)) { New-Item -Path $d -ItemType Directory -Force | Out-Null }
+        }
+        Copy-Item -LiteralPath $enforcerRuntime -Destination (Join-Path $runtimeDir 'GE-Enforce.ps1') -Force
+        Copy-Item -LiteralPath $libSource       -Destination (Join-Path $runtimeLib  'Install-FromManifest.ps1') -Force
+        & $registerGE -EnforcerPath (Join-Path $runtimeDir 'GE-Enforce.ps1')
+    } catch {
+        Write-Warning "GE-Enforce registration failed: $_"
+    }
+} else {
+    Write-Host "Register-GEEnforce.ps1 not found - skipping (legacy per-type enforcers remain active)"
+}
+
+# Legacy Common enforcer: kept for the transition period; GE-Enforce
+# unregisters the task it creates. Remove this block when the legacy
+# Common-Enforce.ps1 is retired from the repo.
 $registerCommon = Join-Path $commonSetupDir 'Register-CommonEnforce.ps1'
 if (Test-Path -LiteralPath $registerCommon) {
     Write-Host ""
-    Write-Host "=== Registering Common Apps enforcer ==="
+    Write-Host "=== (legacy) Registering Common Apps enforcer - will be superseded by GE-Enforce ==="
     try { & $registerCommon } catch { Write-Warning "Common enforce registration failed: $_" }
-} else {
-    Write-Host "Register-CommonEnforce.ps1 not found (optional) - skipping"
 }
 
 # Map S: drive on user logon for every account in BUILTIN\Users. The