fix: audit fixes across verify, pack, security, and performance

- fix KeyError in compute_coverage (generate_readme, generate_site)
- fix comma-separated MD5 handling in generate_pack check_inside_zip
- fix _verify_file_hash to handle multi-MD5 for large files
- fix external downloads not tracked in seen_destinations/file_status
- fix tar path traversal in _is_safe_tar_member (refresh_data_dirs)
- fix predictable tmp path in download.py
- fix _sanitize_path to filter "." components
- remove blanket data_dir suppression in find_undeclared_files
- remove blanket data_dir suppression in cross_reference
- add status_counts to verify_platform return value
- add md5_composite cache for repeated ZIP hashing

scripts/generate_site.py

@@ -68,14 +68,19 @@ def _status_icon(pct: float) -> str:
 def compute_coverage(platform_name: str, platforms_dir: str, db: dict) -> dict:
     config = load_platform_config(platform_name, platforms_dir)
     result = verify_platform(config, db)
-    present = result["ok"] + result["untested"]
-    pct = (present / result["total"] * 100) if result["total"] > 0 else 0
+    sc = result.get("status_counts", {})
+    ok = sc.get("ok", 0)
+    untested = sc.get("untested", 0)
+    missing = sc.get("missing", 0)
+    total = result["total_files"]
+    present = ok + untested
+    pct = (present / total * 100) if total > 0 else 0
     return {
         "platform": config.get("platform", platform_name),
-        "total": result["total"],
-        "verified": result["ok"],
-        "untested": result["untested"],
-        "missing": result["missing"],
+        "total": total,
+        "verified": ok,
+        "untested": untested,
+        "missing": missing,
         "present": present,
         "percentage": pct,
         "mode": config.get("verification_mode", "existence"),