fix: audit fixes across verify, pack, security, and performance

- fix KeyError in compute_coverage (generate_readme, generate_site)
- fix comma-separated MD5 handling in generate_pack check_inside_zip
- fix _verify_file_hash to handle multi-MD5 for large files
- fix external downloads not tracked in seen_destinations/file_status
- fix tar path traversal in _is_safe_tar_member (refresh_data_dirs)
- fix predictable tmp path in download.py
- fix _sanitize_path to filter "." components
- remove blanket data_dir suppression in find_undeclared_files
- remove blanket data_dir suppression in cross_reference
- add status_counts to verify_platform return value
- add md5_composite cache for repeated ZIP hashing

scripts/refresh_data_dirs.py

@@ -120,7 +120,8 @@ def _is_safe_tar_member(member: tarfile.TarInfo, dest: Path) -> bool:
     if member.name.startswith("/") or ".." in member.name.split("/"):
         return False
     resolved = (dest / member.name).resolve()
-    if not str(resolved).startswith(str(dest.resolve())):
+    dest_str = str(dest.resolve()) + os.sep
+    if not str(resolved).startswith(dest_str) and str(resolved) != str(dest.resolve()):
         return False
     return True