@echo off
REM ===========================================================================
REM  SilverMetal Enhanced - Windows : first-boot entry point.
REM  Invoked once by autounattend.xml FirstLogonCommands. Runs the shared
REM  hardening/ modules in order, logs to disk, then schedules verification.
REM
REM  The hardening/ modules are staged into C:\Windows\Setup\Scripts\hardening
REM  by build.ps1 (stage 4). They are SHARED with the self-apply track.
REM
REM  Design: ../../iso-builder.md   Controls: ../../hardening-spec.md
REM  SCAFFOLD (M0): module bodies stubbed; safe to run (modules log and no-op
REM  until implemented at M1).
REM ===========================================================================

set LOG=C:\Windows\Setup\Scripts\silvermetal-firstboot.log
set HARD=C:\Windows\Setup\Scripts\hardening

echo [%DATE% %TIME%] SilverMetal first-boot start >> "%LOG%"

powershell -NoProfile -ExecutionPolicy Bypass -Command ^
  "$ErrorActionPreference='Stop';" ^
  "Get-ChildItem '%HARD%\0*.ps1' | Sort-Object Name | ForEach-Object {" ^
  "  Write-Host \"--> $($_.Name)\";" ^
  "  & $_.FullName *>> '%LOG%'" ^
  "}" >> "%LOG%" 2>&1

REM Register the verification task to run after the first full boot/login.
schtasks /Create /TN "SilverMetal\Verify" /SC ONLOGON /RL HIGHEST /F ^
  /TR "powershell -NoProfile -ExecutionPolicy Bypass -File %HARD%\Verify-SilverMetalWindows.ps1" >> "%LOG%" 2>&1

echo [%DATE% %TIME%] SilverMetal first-boot done >> "%LOG%"
exit /b 0