fix: guard against NULL/empty DACL to prevent wiping drive root permissions

[sigmeta]

When a directory (e.g. C:) has a NULL DACL (no DACL section at all), GetAccessControl() returns zero rules. Adding our AppContainer ACE and calling SetAccessControl() then replaces the implicit full-access with a single-entry DACL, stripping Administrators/Users/SYSTEM permissions.

Add IsNullOrEmptyDacl() helper that inspects the SDDL string for a missing or empty D: section. Guard all three ACL-write paths:

• GrantAccess (dir + file branches)
• GrantAncestorTraverse
• SetupDriveTraverse

NULL DACL semantically grants everyone full access (including AppContainer), so skipping the write is functionally correct.

Description

Related Issue

Changes

Type of Change

• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• CI/CD or build configuration change
• Refactoring (no functional changes)

Testing

• Tests pass locally (cd desktop && npm run test)
• Renderer tests pass locally (cd desktop/renderer && npm run test)
• Build succeeds (cd desktop && npm run build)
• Manual testing performed (describe below)

Checklist

• My code follows the coding guidelines of this project
• I have performed a self-review of my code
• I have commented my code where necessary
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or my feature works
• New and existing unit tests pass locally with my changes