fix: reject path traversal entries in TAR list command (#104)

[bug-ops]

Summary

• list_tar_entries now validates each TAR entry path for .. components and absolute paths
• Returns PathTraversal error on detection, matching ZIP list behavior exactly
• Fixes the CLI conflict-check bypass where a malicious TAR could pass the pre-extraction list phase

Root Cause

list_tar_entries used entry.path() (raw tar-rs path, no validation), while ZIP listing used entry.enclosed_name() which returns None for traversal paths. The inconsistency allowed list on a malicious TAR to succeed with exit code 0, bypassing the pre-extraction conflict check.

Changes

• crates/exarch-core/src/inspection/list.rs: add contains_traversal() helper + traversal check in list_tar_entries
• CHANGELOG.md: document the fix

Tests

5 new unit tests:

• test_list_tar_path_traversal_dotdot — ../escape.txt → PathTraversal
• test_list_tar_path_traversal_nested — foo/../../escape.txt → PathTraversal
• test_list_tar_path_traversal_absolute — /etc/passwd → PathTraversal
• test_list_tar_gz_path_traversal — same via gzip-compressed TAR
• test_list_tar_path_traversal_mixed_entries_fail_fast — safe entry + traversal entry → fail-fast

Test plan

• cargo +nightly fmt --all -- --check passes
• cargo clippy --all-targets --all-features --workspace -- -D warnings passes
• cargo nextest run --workspace --all-features --exclude exarch-python --exclude exarch-node --lib --bins — 584 passed, 3 skipped
• cargo deny check passes

Closes #104