feat(welcome): Invoke-Hardening accepts -Modules subset + -ParamsJson

windows/hardening/Invoke-Hardening.ps1

@@ -1,17 +1,18 @@
 #Requires -Version 5.1
-<#  SilverMetal Enhanced - Windows | First-boot hardening runner.
-    Runs the §A-H modules (00*.ps1 .. 08*.ps1) in order, then the Verify gate.
-    Called by SetupComplete.cmd via -File (no cmd-quoting fragility). Logs to the
-    pipeline that SetupComplete redirects.
-#>
-[CmdletBinding()] param()
+<#  Runs the §A-H modules (optionally a subset) then Verify.
+    -Modules "00","03","05"  -> run only those numeric-prefixed modules (default: all 0*).
+    -ParamsJson '{"wdac":"audit"}' -> exported as $env:SM_PARAMS for modules to read.  #>
+[CmdletBinding()] param([string[]]$Modules, [string]$ParamsJson)
 $ErrorActionPreference = 'Continue'
 $here = Split-Path -Parent $MyInvocation.MyCommand.Path
+if ($ParamsJson) { $env:SM_PARAMS = $ParamsJson }
 Write-Host "=== SilverMetal hardening modules ==="
-Get-ChildItem (Join-Path $here '0*.ps1') | Sort-Object Name | ForEach-Object {
-    Write-Host "--> $($_.Name)"
-    try { & $_.FullName } catch { Write-Warning "$($_.Name) FAILED: $_" }
+$all = Get-ChildItem (Join-Path $here '0*.ps1') | Sort-Object Name
+if ($Modules) { $all = $all | Where-Object { $Modules -contains $_.Name.Substring(0,2) } }
+foreach ($f in $all) {
+    Write-Host "--> $($f.Name)"
+    try { & $f.FullName } catch { Write-Warning "$($f.Name) FAILED: $_" }
 }
-Write-Host "=== Verify (effects needing reboot/PIN will show pending) ==="
+Write-Host "=== Verify ==="
 try { & (Join-Path $here 'Verify-SilverMetalWindows.ps1') } catch { Write-Warning "Verify error: $_" }
-Write-Host "=== SilverMetal hardening runner done ==="
+Write-Host "=== runner done ==="