Harden Apptainer bundle extraction against tar path traversal

[Copilot]

_extract_bundle() in the Apptainer provider accepted nix/... member names but used direct tar.extract, allowing crafted paths like nix/../../escape.txt to write outside the bundle cache. This change aligns Apptainer extraction with the Docker provider’s safe-extraction model.

• Extraction safety model

  • Replaced tar.extract(...) with explicit per-member extraction logic.
  • Normalizes member names with POSIX semantics and enforces extraction scope to nix/ only.
  • Rejects unsafe member paths (absolute paths, parent traversal, non-nix payloads).

• Filesystem and link handling

  • Validates parent path components to prevent writes through symlink/non-directory parents.
  • Validates hard-link targets as safe nix/ paths and requires target presence before linking.
  • Rejects unsupported tar member types instead of attempting best-effort extraction.

• Atomic cache population

  • Extracts into a temporary directory and replaces the cache target only after full validation/extraction succeeds, preventing partial or unsafe cache states.

• Regression coverage

  • Added test_extract_bundle_rejects_path_traversal_member to lock behavior for crafted traversal entries.

def test_extract_bundle_rejects_path_traversal_member(tmp_path: Path) -> None:
    with tarfile.open(bundle, "w") as tar:
        info = tarfile.TarInfo("nix/../../escape.txt")
        tar.addfile(info, io.BytesIO(b"owned"))

    with pytest.raises(RuntimeError, match="unsafe member"):
        _extract_bundle(bundle, target)