diff --git a/devops/docker/build-all.ps1 b/devops/docker/build-all.ps1
index 8d8225eb2..e09529db4 100644
--- a/devops/docker/build-all.ps1
+++ b/devops/docker/build-all.ps1
@@ -55,6 +55,11 @@ if ([string]::IsNullOrWhiteSpace($RuntimeImage)) {
     $RuntimeImage = if ([string]::IsNullOrWhiteSpace($env:RUNTIME_IMAGE)) { 'mcr.microsoft.com/dotnet/aspnet:10.0-noble' } else { $env:RUNTIME_IMAGE }
 }
 
+if ($Registry.StartsWith('-')) {
+    Write-Error "Registry value '$Registry' is invalid. Invoke build-all.ps1 with named parameters so switches are not passed positionally."
+    exit 1
+}
+
 $Root = git rev-parse --show-toplevel 2>$null
 if (-not $Root) {
     Write-Error 'Not inside a git repository.'
diff --git a/docs/implplan/SPRINT_20260309_001_Platform_scratch_setup_bootstrap_restore.md b/docs/implplan/SPRINT_20260309_001_Platform_scratch_setup_bootstrap_restore.md
index 1069e3ddb..581992f35 100644
--- a/docs/implplan/SPRINT_20260309_001_Platform_scratch_setup_bootstrap_restore.md
+++ b/docs/implplan/SPRINT_20260309_001_Platform_scratch_setup_bootstrap_restore.md
@@ -35,7 +35,7 @@ Completion criteria:
 - [x] The fix preserves `REGISTRY`, `TAG_SUFFIX`, `SDK_IMAGE`, and `RUNTIME_IMAGE` overrides.
 
 ### PLATFORM-SETUP-002 - Re-run clean platform bootstrap and continue QA
-Status: DOING
+Status: DONE
 Dependency: PLATFORM-SETUP-001
 Owners: QA, Developer
 Task description:
@@ -44,8 +44,8 @@ Task description:
 
 Completion criteria:
 - [x] The clean setup path is rerun from the repo script after the fix.
-- [ ] The stack is reachable through `https://stella-ops.local`.
-- [ ] The next live verification findings are captured for follow-on iterations.
+- [x] The stack is reachable through `https://stella-ops.local`.
+- [x] The next live verification findings are captured for follow-on iterations.
 
 ### PLATFORM-SETUP-003 - Repair scratch-bootstrap solution graph blockers
 Status: DONE
@@ -76,6 +76,8 @@ Completion criteria:
 | 2026-03-09 | Solution graph fixes committed: normalized solution file paths and consolidated Scheduler references (`e6094e3b5`), improved build script discovery and updated Verifier to System.CommandLine v8+ (`e0c79e0dc`). Running `build-all-solutions.ps1` to verify completion criteria. | Developer |
 | 2026-03-09 | All 36 solutions build successfully. Task 003 completion criteria met. Sprint complete. | QA |
 | 2026-03-10 | Another scratch-bootstrap recheck exposed false-negative third-party infra readiness. SeaweedFS was healthy but its dev-compose probe hit the S3 root that correctly returns `403`, and Zot was healthy but its vendor image does not include `wget`. Updated compose healthchecks and setup smoke probes to validate the real exposed endpoints instead of failing clean bootstraps on healthy services. | Developer |
+| 2026-03-11 | Performed another full Docker wipe, including Stella containers, images, volumes, and networks, then reran the documented Windows setup path from zero state. The next real bootstrap defect was positional switch forwarding from `scripts/setup.ps1` into `devops/docker/build-all.ps1`, which corrupted the registry argument (`-PublishNoRestore/router-gateway:dev`) and broke image tagging during the clean rebuild. | Developer |
+| 2026-03-11 | Reworked `scripts/setup.ps1` to splat named build parameters and added a fail-fast registry guard in `devops/docker/build-all.ps1`. After the fix, the documented scratch setup completed successfully, the compose stack came back healthy on `https://stella-ops.local`, and the authenticated canonical Playwright route sweep passed `111/111` on the rebuilt stack. | QA |
 
 ## Decisions & Risks
 - Decision: repair the documented setup path first instead of working around it with ad hoc manual builds, because scratch bootstrap is part of the product surface for this mission.
@@ -87,6 +89,7 @@ Completion criteria:
 - Decision: `scripts/build-all-solutions.ps1` must build only repo-owned solution surfaces under `src/`; vendored dependency trees such as frontend `node_modules` are excluded because they are not Stella bootstrap contracts and can contain native/Visual Studio samples that are invalid under `dotnet build`.
 - Decision: the canonical .NET image builder now uses local `dotnet publish` plus a runtime-only Docker context by default, because repo-root `docker build` repeated monorepo context transfer for every service and made scratch setup unreasonably slow on Windows.
 - Decision: scratch-setup readiness for third-party infra now relies on host-level HTTP probes in the setup smoke scripts, because vendor images do not consistently ship shell/network helpers and some valid readiness responses are auth-gated (`403`) rather than `200`.
+- Decision: the setup script must pass Docker build switches as named parameters, not positional strings, because scratch bootstrap is a product surface and positional forwarding can silently corrupt image naming in PowerShell.
 
 ## Next Checkpoints
 - 2026-03-09: rerun `scripts/setup.ps1 -SkipBuild` after the parser fix.
diff --git a/scripts/setup.ps1 b/scripts/setup.ps1
index 67ae9d637..98a0de6ce 100644
--- a/scripts/setup.ps1
+++ b/scripts/setup.ps1
@@ -432,12 +432,12 @@ function Build-Images([switch]$PublishNoRestore) {
     Write-Step 'Building Docker images'
     $buildScript = Join-Path $Root 'devops/docker/build-all.ps1'
     if (Test-Path $buildScript) {
-        $buildArguments = @()
+        $buildParameters = @{}
         if ($PublishNoRestore) {
-            $buildArguments += '-PublishNoRestore'
+            $buildParameters['PublishNoRestore'] = $true
         }
 
-        & $buildScript @buildArguments
+        & $buildScript @buildParameters
         if ($LASTEXITCODE -ne 0) {
             Write-Fail 'Docker image build failed.'
             exit 1