security: fix single percent detection and add fsutil to PowerShell

setup.bat:
- Fix percent sign detection to catch single % (not just %%)
- Use string substitution for reliable detection

install-core.ps1:
- Add fsutil reparsepoint query to Test-SecureDirectory
- Matches batch script's dual-layer detection approach
- Keep .NET attribute check as fallback

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

scripts/install-core.ps1

@@ -69,9 +69,14 @@ function Test-SecureDirectory {
         return $true  # Directory doesn't exist yet, will be created
     }
 
-    $dirInfo = Get-Item $Path -Force
+    # Primary check: use fsutil for reliable reparse point detection (matches batch script)
+    $fsutilResult = & fsutil reparsepoint query $Path 2>&1
+    if ($LASTEXITCODE -eq 0) {
+        Write-Err "Directory '$Path' is a reparse point (symlink or junction). Possible symlink attack detected."
+    }
 
-    # Check for symlinks/junctions
+    # Fallback: check .NET attributes
+    $dirInfo = Get-Item $Path -Force
     if ($dirInfo.Attributes -band [System.IO.FileAttributes]::ReparsePoint) {
         Write-Err "Directory '$Path' is a symbolic link or junction. Possible symlink attack detected."
     }

setup.bat

@@ -48,8 +48,10 @@ if !errorlevel! equ 0 (
     echo ERROR: LOCALAPPDATA contains invalid shell characters
     goto :error
 )
-echo !LOCALAPPDATA! | findstr /c:"%%" >nul
+REM Check for percent signs (both single and double)
-if !errorlevel! equ 0 (
+set "TEMP_CHECK=!LOCALAPPDATA!"
+set "TEMP_CHECK=!TEMP_CHECK:%%=!"
+if not "!TEMP_CHECK!"=="!LOCALAPPDATA!" (
     echo ERROR: LOCALAPPDATA contains percent signs
     goto :error
 )