[bug] Make SDDL tokenizer parenthesis-aware and surface errors on malformed input (#80)

[p0dalirius]

Linked Issue

Closes #80

Motivation

CutSDDL recognised the O:/G:/D:/S: component markers anywhere in the string and silently discarded any characters before the first marker; CutAces tracked parenthesis depth with no lower bound, so unbalanced parentheses silently dropped or desynchronised ACEs. Neither returned an error. Malformed SDDL was therefore accepted and silently truncated, and an ACE body containing : or nested parentheses (conditional / resource-attribute ACEs) could be split incorrectly. A parser for a security-sensitive format should reject malformed input rather than emit a partial, misleading parse.

What Changed

• CutSDDL now tracks parenthesis depth and only recognises component markers at depth 0, so a marker-like substring inside an ACE body no longer starts a new component. It returns an error for: a character before the first marker, an unbalanced ) (negative depth), or an unbalanced ( (non-zero depth at end). Signature is now (string, string, []string, []string, error).
• CutAces now preserves nested parentheses (only top-level parens delimit ACEs) and returns an error for an unbalanced ), an unbalanced (, or stray characters between/after top-level ACEs. Signature is now ([]string, error). A component with no ( (empty DACL/SACL with only flags) still returns no ACEs and no error.
• Internal CutAces calls in CutSDDL now propagate these errors, wrapped as invalid DACL/invalid SACL.

Design Notes

Marker detection is gated on depth == 0, which is what makes conditional/resource-attribute ACEs tokenize correctly. The two functions validate parenthesis balance independently: CutSDDL checks the whole string, and per-component CutAces catches a component-local imbalance that a compensating imbalance elsewhere would otherwise mask.

Acceptance Criteria Check

• Unbalanced parentheses return an error instead of dropping an ACE — TestSddlCut_MalformedReturnsError (unbalanced open paren, extra close paren).
• Characters before the first marker or after the last ACE return an error — TestSddlCut_MalformedReturnsError (leading garbage, trailing garbage).
• A conditional/resource-attribute ACE containing : or nested parens is tokenized as a single ACE — TestSddlCut_ConditionalAceSingleToken (input D:(XA;;FA;;;WD;(@xD:1)) yields one DACL ACE and no SACL).
• Existing valid SDDL round-trip tests pass — TestSddlCut and TestSddlCut_LowercaseMarkers updated for the new signature and green.

How Verified

• Tests: sddl/sddl_test.go — added TestSddlCut_ConditionalAceSingleToken, TestSddlCut_MalformedReturnsError; updated TestSddlCut/TestSddlCut_LowercaseMarkers for the new error return.
• go build ./... and go test ./... pass.

Test Coverage

• Added: the two new tests above; existing tokenizer tests retained.

Scope of Change

• Files changed: sddl/sddl.go, sddl/sddl_test.go
• Submodule pointer updated: no
• Public API changes: breaking — CutSDDL and CutAces gain an error return value. Both are exported. There are no in-repo callers outside the sddl package (the descriptor SDDL parser does not use them), but external importers calling these functions directly must add error handling. Please confirm the signature change is acceptable before merging.
• Behavioral changes outside the stated enhancement: none

Risk and Rollout

The behavioral change for well-formed SDDL is limited to the new (ignored) error return; tokenization of all existing valid cases is unchanged (verified by the retained tests). The risk is the breaking signature change for external callers — flagged above for your decision.