fix: audit fixes across verify, pack, security, and performance

- fix KeyError in compute_coverage (generate_readme, generate_site)
- fix comma-separated MD5 handling in generate_pack check_inside_zip
- fix _verify_file_hash to handle multi-MD5 for large files
- fix external downloads not tracked in seen_destinations/file_status
- fix tar path traversal in _is_safe_tar_member (refresh_data_dirs)
- fix predictable tmp path in download.py
- fix _sanitize_path to filter "." components
- remove blanket data_dir suppression in find_undeclared_files
- remove blanket data_dir suppression in cross_reference
- add status_counts to verify_platform return value
- add md5_composite cache for repeated ZIP hashing

scripts/cross_reference.py

@@ -93,15 +93,6 @@ def cross_reference(
         for sys_id in systems:
             platform_names.update(declared.get(sys_id, set()))
 
-        # data_directories: check if the emulator's data_dir refs are provided
-        # by ANY platform for ANY system (not limited to matching system IDs,
-        # since emulator profiles and platforms use different ID conventions)
-        all_plat_dd_refs = set()
-        for dd_set in platform_data_dirs.values():
-            all_plat_dd_refs.update(dd_set)
-        emu_dd_refs = {dd.get("ref", "") for dd in profile.get("data_directories", [])}
-        covered_dd = emu_dd_refs & all_plat_dd_refs
-
         gaps = []
         covered = []
         for f in emu_files:
@@ -117,9 +108,6 @@ def cross_reference(
                 continue
 
             in_platform = fname in platform_names
-            # files covered by shared data_directories are effectively in the platform pack
-            if not in_platform and covered_dd:
-                in_platform = True
             in_repo = _find_in_repo(fname, by_name, by_name_lower)
 
             entry = {