feat(welcome): build bakes the published Welcome app + flavours into the image

Adds Invoke-PublishWelcome (dotnet publish win-x64 self-contained, runs pre-mount)
and Copy-WelcomePayload (copies publish output + flavours/*.json into $mount while
install.wim is open) called from Invoke-ServiceWim's try block. Both are gated on
SILVERMETAL_WELCOME_ENABLED != '0' (enabled by default). Hardening staging unchanged.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

windows/installer/build.ps1

@@ -117,6 +117,47 @@ function Invoke-ForceLegacySetup {
     }
 }
 
+# --- 3b. Publish Welcome app (runs before WIM mount; no mount needed) --------
+function Invoke-PublishWelcome {
+    if ($env:SILVERMETAL_WELCOME_ENABLED -eq '0') {
+        Write-Host '   SILVERMETAL_WELCOME_ENABLED=0 -- skipping Welcome app publish.' -ForegroundColor Yellow
+        return
+    }
+    Write-Stage 'Stage 3b: publish SilverOS Welcome app (win-x64 self-contained)'
+    $proj = Join-Path $WindowsDir 'welcome\src\SilverOS.Welcome.App'
+    $out  = Join-Path $WorkDir 'welcome-publish'
+    & dotnet publish $proj -c Release -f net9.0-windows10.0.19041.0 -r win-x64 --self-contained true -o $out
+    if ($LASTEXITCODE -ne 0) { throw 'Welcome app dotnet publish failed' }
+    Write-Host "   Published to: $out"
+}
+
+# --- 3c. Copy Welcome payload into mounted WIM (called inside Invoke-ServiceWim) ---
+function Copy-WelcomePayload {
+    if ($env:SILVERMETAL_WELCOME_ENABLED -eq '0') {
+        Write-Host '   SILVERMETAL_WELCOME_ENABLED=0 -- skipping Welcome payload copy.' -ForegroundColor Yellow
+        return
+    }
+    Write-Stage 'Stage 3c: stage SilverOS Welcome app + flavours into mounted image'
+    $out = Join-Path $WorkDir 'welcome-publish'
+    if (-not (Test-Path $out)) { throw "Welcome publish output not found at '$out' -- did Invoke-PublishWelcome succeed?" }
+    # Destination: C:\Program Files\SilverOS\Welcome (+ flavours subdir)
+    $dest        = Join-Path $mount 'Program Files\SilverOS\Welcome'
+    $destFlavours = Join-Path $dest 'flavours'
+    $null = New-Item -ItemType Directory -Force $dest, $destFlavours
+    # Copy published app (SilverOS.Welcome.App.exe + all runtime deps)
+    Copy-Item "$out\*" $dest -Recurse -Force
+    # Copy flavour definitions (*.json)
+    $flavoursDir = Join-Path $WindowsDir 'flavours'
+    $flavourFiles = Get-ChildItem $flavoursDir -Filter '*.json' -EA SilentlyContinue
+    if ($flavourFiles) {
+        Copy-Item $flavourFiles.FullName $destFlavours -Force
+        Write-Host "   Copied $($flavourFiles.Count) flavour(s) to $destFlavours"
+    } else {
+        Write-Warning "   No *.json flavour files found in $flavoursDir -- image will ship with no flavours."
+    }
+    Write-Host "   Welcome payload staged at $dest"
+}
+
 # --- 3. Service the WIM offline (DISM) -------------------------------------
 function Invoke-ServiceWim {
     Write-Stage 'Stage 3: offline-service install.wim'
@@ -159,6 +200,9 @@ function Invoke-ServiceWim {
         $null = New-Item -ItemType Directory -Force $scripts, (Join-Path $scripts 'hardening')
         Copy-Item (Join-Path $PSScriptRoot 'oem\SetupComplete.cmd') $scripts -Force
         Copy-Item (Join-Path $WindowsDir 'hardening\*') (Join-Path $scripts 'hardening') -Recurse -Force
+
+        # Stage Welcome app + flavours while the WIM is still mounted.
+        Copy-WelcomePayload
     } finally {
         Dismount-WindowsImage -Path $mount -Save | Out-Null
     }
@@ -217,7 +261,8 @@ function Invoke-Attest {
 Invoke-VerifyInput
 Invoke-Extract
 Invoke-ForceLegacySetup
-Invoke-ServiceWim
+Invoke-PublishWelcome   # publish Welcome app before mount (no WIM needed)
+Invoke-ServiceWim       # mounts WIM, stages hardening + Welcome payload, dismounts
 Invoke-InjectUnattend
 Invoke-Brand
 Invoke-Repack