v1.16.1 - Elevated FixEngine wrapper hardening

v1.16.1 — Elevated FixEngine wrapper hardening

🔒 Security

• FixEngine.ExecuteElevatedAsync: escape apostrophes in temp paths before embedding them in the elevated PowerShell wrapper.
  The elevated remediation path builds a PowerShell try/catch wrapper around Path.GetTempPath()-derived script/output/error paths and runs it with Verb=runas (UAC). GUID nonces kept the file names safe, but the directory portion (%USERPROFILE%\AppData\Local\Temp by default) is attacker-influenceable — a Windows account display name containing an apostrophe (e.g. O'Brien) or a hijacked TEMP / TMP env var would close the PowerShell single-quoted literal and turn the wrapper into a command-injection sink running with administrator privileges.

  The fix adds EscapePowerShellSingleQuoted (doubles every ', matching the PowerShell / SQL single-quoted escape rule) and applies it to the script, output, and error paths before interpolation.

✅ Tests

• New FixEngineTests.EscapePowerShellSingleQuoted_* theory + null case covering plain, empty, normal Windows temp paths, apostrophe-bearing user paths, raw injection payloads, and null.

🧱 Build

• WinSentinel.Core.csproj: switch to the proper <ItemGroup>-scoped <InternalsVisibleTo Include="WinSentinel.Tests" /> form so the test project can exercise the new internal helper.

Full diff: v1.16.0...v1.16.1