CHEF-19255 Fix named pipes to be more secure

[sa-progress]

Description

This PR implements security best practices for Windows named pipe usage in the local transport.

• Randomizes pipe names
• Sets strict ACLs on named pipes
• Verifies pipe ownership before connecting
• Ensures fully qualified paths are used for PowerShell execution

Related Issue

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New content (non-breaking change)
• Breaking change (a content change which would break existing functionality or processes)

Checklist

• I have read the CONTRIBUTING document.

[Copilot]

Pull Request Overview

This PR enhances security for Windows named pipes in the local transport by enforcing ACLs, verifying ownership, and adding corresponding tests.

• Enforce ownership checks before pipe connection and raise on unauthorized access
• Configure strict pipe ACLs in PowerShell when starting the server
• Introduce current_windows_user and pipe_owned_by_current_user? helpers with new tests

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
test/windows/local_test.rb	Added specs for pipe ownership and Windows user detection logic
lib/train/transports/local.rb	Enforce ACL checks, set pipe security rules, and add helper methods

Comments suppressed due to low confidence (1)

lib/train/transports/local.rb:236

• Consider adding a unit test to cover the unauthorized access path in acquire_pipe, ensuring that PipeError is raised when the current user does not own the pipe.

            raise PipeError, "Unauthorized user '#{current_user}' tried to connect to pipe '#{pipe_name}'. Pipe is owned by '#{owner}'."