fix: audit fixes across verify, pack, security, and performance

- fix KeyError in compute_coverage (generate_readme, generate_site)
- fix comma-separated MD5 handling in generate_pack check_inside_zip
- fix _verify_file_hash to handle multi-MD5 for large files
- fix external downloads not tracked in seen_destinations/file_status
- fix tar path traversal in _is_safe_tar_member (refresh_data_dirs)
- fix predictable tmp path in download.py
- fix _sanitize_path to filter "." components
- remove blanket data_dir suppression in find_undeclared_files
- remove blanket data_dir suppression in cross_reference
- add status_counts to verify_platform return value
- add md5_composite cache for repeated ZIP hashing

tests/test_e2e.py

@@ -471,13 +471,13 @@ class TestE2E(unittest.TestCase):
         profiles = load_emulator_profiles(self.emulators_dir)
         self.assertNotIn("test_alias", profiles)
 
-    def test_43_cross_ref_data_dir_suppresses_gaps(self):
+    def test_43_cross_ref_data_dir_does_not_suppress_files(self):
         config = load_platform_config("test_md5", self.platforms_dir)
         profiles = load_emulator_profiles(self.emulators_dir)
         undeclared = find_undeclared_files(config, self.emulators_dir, self.db, profiles)
         names = {u["name"] for u in undeclared}
-        # dd_covered.bin from TestEmuDD should NOT appear (data_dir match)
-        self.assertNotIn("dd_covered.bin", names)
+        # dd_covered.bin is a file entry, not data_dir content — still undeclared
+        self.assertIn("dd_covered.bin", names)
 
     def test_44_cross_ref_skips_launchers(self):
         config = load_platform_config("test_existence", self.platforms_dir)