Description
## Why
The `disable-firewall-prompts` step in `recipes/hydrabody-windows.yaml` (lines 30-33: `Set-NetFirewallProfile -Profile Domain,Public,Private -NotifyOnListen False`) landed today (alongside the #123/124 setSunshineConfig fix). Bodies enrolled before this step ran did NOT pick it up — confirmed today by manually fixing cosmic-pretzel-98 to clear a Windows Firewall popup that blocked first-peer Sunshine pairing (#126).
## Bodies affected
Anyone enrolled before today's recipe update. Verified pre-bake at the time of writing:
- **cosmic-pretzel-98** (`node-4c2be4b0`) — manually fixed today, no follow-up needed
- **boom-pickle-38** (`node-74f9fbf2`, rupelmonde, currently offline) — reprovision flagged
- **wobbly-llama-92** (`node-5f8b7b59`, bxl1-test, currently offline) — reprovision flagged
The reprovision flag is set via `POST /api/v1/nodes/{id}/reprovision` and consumed on the next heartbeat after the body comes back online. No action needed when they boot up — they'll re-run the recipe automatically.
## Action
1. Set reprovision on every body that was enrolled before this week. Done for boom-pickle-38 and wobbly-llama-92 at filing time.
2. After each body reprovisions, verify `NotifyOnListen=False` on all profiles (`Get-NetFirewallProfile | Select-Object Name, NotifyOnListen`).
3. Optional defensive: add an idempotent self-heal in hydrabody's tick that asserts the firewall settings match the recipe's intent, so a body that drifted (or skipped a step) corrects itself within a few minutes of starting up. Out of scope here, file separately if useful.
## Verify
Once both bodies come online, re-curl `Get-NetFirewallProfile -Profile Public | Select Name,NotifyOnListen` via hydracluster exec — must return `False`.
## Out of scope
- Other recipe drift (e.g. `setSunshineConfig` from #123/124) — also fixed by reprovision; mention in the closing comment of this issue.
- Mac Mini heads — different recipe (`hydraheadflatscreen-macos.yaml`), no firewall step there.