fix(enroll): eleventh audit — container liveness, silent set-e exits, &&||antipattern, age-key remediation

[mdheller]

Summary

• HIGH — Foreman wait loop: container crash detected only after 30-min MAX_WAIT timeout. docker exec katello-foreman ... 2>/dev/null silently swallows the "container not running" error and the loop keeps counting. Added docker ps --filter status=running liveness check inside the loop that dies immediately with logs/restart commands. Also tightened progress interval from 60s to 30s.
• MEDIUM — nixos-generate-config ... > ${HW_CONFIG}.tmp: failure triggered silent set -e exit with no remediation message. Added || die with journalctl hint.
• MEDIUM — KATELLO_PASSWORD=$(cat "${KATELLO_ADMIN_PW_FILE}"): missing file (not just empty) caused cat to exit non-zero, firing set -e before the guard die with regeneration steps could run. Added file-existence pre-check with clear rm + re-run remediation.
• MEDIUM — age-keygen -y "${AGE_KEY}": corrupt key exited non-zero, firing set -e before the empty-guard die. Added || die with full regeneration instructions including removing secrets.yaml.
• MEDIUM — nix copy ... && ok ... || warn ... (×2 in step 11): classic &&...|| anti-pattern — if ok exits non-zero for any reason, warn fires on a successful push. Replaced both with if/else.
• MEDIUM — Same &&...|| in Katello CV promotion loop. Replaced with if/else.

Test plan

• bash -n scripts/enroll.sh — syntax clean
• Kill katello-foreman container mid-wait → immediate die with logs command (not 30-min timeout)
• Remove hardware-configuration.nix target dir (simulate nixos-generate-config fail) → clear die
• Delete katello-admin-password file before step 4 exits → pre-check die fires with correct remediation
• Write garbage to age.key, run step 3 re-entry → age-keygen -y || die fires with rm instructions
• Verify nix copy if/else branches each print correctly