perf: optimize SafePath::validate canonicalization (50% faster)

[bug-ops]

Summary

Eliminate redundant canonicalize() syscalls in SafePath::validate via a 3-layer ValidationContext optimization:

1. Trusted-parent fast path — skip parent.canonicalize() when parent is in DirCache (created by extraction engine)
2. Symlink-free fast path — skip all canonicalize when archive has no symlinks and config disallows them
3. Full canonicalize fallback — original behavior for archives with symlinks

Results

Metric	Before	After	Improvement
Path validation	12 us	6 us	50%
Validation throughput	82.7K/s	161K/s	~2x
TAR extraction (1000 small files)	111 ms	86 ms	23%
ZIP extraction (1000 small files)	115 ms	88 ms	23%
ZIP extraction (10000 files)	1144 ms	898 ms	22%
Memory (dhat)	No regression	No regression	—

Security

• All CVE regression tests pass (521 security tests)
• Security audit: approved (symlink-in-parent attack fully blocked)
• Zero unsafe code
• canonicalize() runs unconditionally when symlinks are present

Test plan

• 749 tests pass (8 new tests for optimization branches)
• clippy clean
• Security audit approved
• Performance validated with criterion + dhat
• Code review approved

Closes #51

[codecov-commenter]

Codecov Report

❌ Patch coverage is 94.07008% with 22 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
crates/exarch-core/src/types/safe_path.rs	90.54%	21 Missing ⚠️
crates/exarch-core/src/security/validator.rs	98.66%	1 Missing ⚠️

@@            Coverage Diff             @@
##             main      #53      +/-   ##
==========================================
+ Coverage   90.08%   90.36%   +0.28%     
==========================================
  Files          61       58       -3     
  Lines       10013    10180     +167     
==========================================
+ Hits         9020     9199     +179     
+ Misses        993      981      -12     

Flag	Coverage Δ
exarch-python	?

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
crates/exarch-core/src/formats/common.rs	98.01% <100.00%> (+0.11%)	⬆️
crates/exarch-core/src/formats/sevenz.rs	92.04% <100.00%> (ø)
crates/exarch-core/src/formats/tar.rs	92.56% <100.00%> (+<0.01%)	⬆️
crates/exarch-core/src/formats/zip.rs	79.35% <100.00%> (+0.03%)	⬆️
crates/exarch-core/src/security/context.rs	100.00% <100.00%> (ø)
crates/exarch-core/src/security/validator.rs	99.25% <98.66%> (-0.15%)	⬇️
crates/exarch-core/src/types/safe_path.rs	92.16% <90.54%> (+2.03%)	⬆️

... and 4 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.