v0.5.25: don't run veilor-firstboot on live ISO

Live ISO boot chain showing extra step:
  boot → text scroll → veilor-firstboot prompts admin pw → installer

veilor-firstboot.service was enabled in live ks but it's an INSTALLED
system feature (forces admin pw set on first real boot). Made no
sense to ask on live (no persistent admin user, throwaway VM, etc).

Live ks now: doesn't enable veilor-firstboot, masks the unit so
overlay-copied unit file can't auto-activate. Install ks chroot %post
already enables it (correct path).

After fix:
  boot → text scroll → installer banner directly

kickstart/veilor-os.ks

@@ -268,9 +268,14 @@ compression-algorithm = zstd
 EOF
 
 # Enable services
-systemctl enable veilor-firstboot.service
+# veilor-firstboot.service NOT enabled on live ISO — it prompts admin pw
+# which makes no sense on a live boot. Real installs enable it in their
+# generated kickstart's chroot %post (see overlay/usr/local/bin/veilor-installer).
 systemctl enable veilor-modules-lock.service
 systemctl enable sshd fail2ban usbguard tuned auditd firewalld chronyd
+# Mask veilor-firstboot on live so even if it landed in /etc/systemd/system
+# (overlay drag), it can't activate.
+systemctl mask veilor-firstboot.service 2>/dev/null || true
 
 # Default tuned profile = balanced (AC/battery udev rule will override)
 tuned-adm profile veilor-balanced 2>/dev/null || true