Two related fixes from the pipeline audit:
1. Stage-Dispatcher race condition (critical):
Run-ShopfloorSetup.ps1 called shutdown /r /t 10 and the dispatcher
had to write the next stage + register RunOnce within that 10-second
window. If disk I/O was slow, the reboot fired before RunOnce was
registered, and the chain broke.
Fix: dispatcher now cancels Run-ShopfloorSetup's pending reboot
(shutdown /a) immediately after it returns, then advances the stage
and registers RunOnce with no time pressure, then initiates its own
shutdown /r /t 5.
2. Dispatcher owns all reboots:
Run-ShopfloorSetup.ps1 now checks the -FromDispatcher flag at the
end. When called by the dispatcher, it schedules shutdown /r /t 30
as a safety net (the dispatcher cancels it immediately). When called
standalone (manual run or legacy FirstLogonCommands), it reboots
directly with /t 10 as before.
This means the dispatcher has full control over the reboot lifecycle:
cancel -> advance stage -> register RunOnce -> reboot. No racing.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
45ff163eea