fix(welcome): escape bootstrapUser + assert daily user is not admin

windows/welcome/src/SilverOS.Welcome.Core/Apply/BootstrapService.cs

@@ -6,8 +6,10 @@ public sealed class BootstrapService(IProcessRunner runner) : IBootstrapService
         const string key = "'HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon'";
         await Ps($"Set-ItemProperty {key} -Name AutoAdminLogon -Value 0; " +
                  $"Remove-ItemProperty {key} -Name DefaultPassword -EA SilentlyContinue", ct);
-        await Ps($"Remove-LocalUser -Name '{bootstrapUser}' -EA SilentlyContinue", ct);
+        var u = Esc(bootstrapUser);
+        await Ps($"Remove-LocalUser -Name '{u}' -EA SilentlyContinue", ct);
     }
+    private static string Esc(string s) => s.Replace("'", "''");
     private Task Ps(string s, CancellationToken ct) =>
         runner.RunAsync("powershell.exe", $"-NoProfile -ExecutionPolicy Bypass -Command \"{s}\"", ct);
 }

windows/welcome/tests/SilverOS.Welcome.Tests/ApplyServicesTests.cs

@@ -19,6 +19,10 @@ public class ApplyServicesTests
         // daily user is a Standard user (added to Users, NOT Administrators)
         run.Verify(r => r.RunAsync("powershell.exe", It.Is<string>(s =>
             s.Contains("New-LocalUser") && s.Contains("alice")), It.IsAny<CancellationToken>()));
+        // negative: the daily-user New-LocalUser call must never mention Administrators
+        run.Verify(r => r.RunAsync("powershell.exe", It.Is<string>(s =>
+            s.Contains("New-LocalUser") && s.Contains("alice") && !s.Contains("Administrators")),
+            It.IsAny<CancellationToken>()), Times.Once);
         run.Verify(r => r.RunAsync("powershell.exe", It.Is<string>(s =>
             s.Contains("'SilverOS Admin'") && s.Contains("Administrators")), It.IsAny<CancellationToken>()));
     }