Potential fix for code scanning alert no. 2: Uncontrolled command line

[Rootless-Ghost]

Potential fix for https://github.com/Rootless-Ghost/AtomicLoop/security/code-scanning/2

General fix: ensure that commands reaching execution are validated against a known-safe template from embedded atomics, rather than trusting any already-substituted string. The safest approach is to validate at the engine layer (where the selected test definition is available) that the final command is exactly the result of substituting only declared placeholders into the selected test template.

Best concrete fix (without changing intended functionality):

• In core/engine.py, after computing command and optional cleanup_command, add a strict verifier that:
  1. Reconstructs expected command text from test["command"] and test["cleanup_command"] using the same substitute_variables_safe.
  2. Rejects execution if reconstructed command does not match actual command/cleanup_command.
• This creates an explicit integrity check that ties execution to the selected embedded atomic template and blocks tampered/free-form command strings.
• No new dependencies are needed.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.