Validate ovpack ZIP member paths during import and add tests to reject unsafe entries

[13ernkastel]

Motivation
import_ovpack processes attacker-controlled ZIP member names. Without strict validation, malformed entries (e.g. traversal segments, absolute paths, Windows-style paths, or root mismatches) can lead to unsafe import behavior. This change hardens import path handling and adds explicit regression coverage.

What changed
Added _validate_ovpack_member_path(zip_path, base_name) to enforce strict member-path rules and fail fast on unsafe input. Specifically rejects:

empty member paths

backslash-containing paths

absolute paths

drive-prefixed paths

parent traversal (..) components

entries whose root directory does not match the expected archive root (base_name)

Integrated member validation into import_ovpack before any directory creation or file write logic, and used validated paths for subsequent operations (mkdir, read, write_file_bytes).

Added client-level import security tests that build crafted ovpack files and assert ValueError is raised for each unsafe pattern (../, absolute, drive-prefix, backslash path, wrong-root).

Security impact
This prevents ZIP member path abuse during .ovpack imports and ensures unsafe archive entries are rejected deterministically before I/O.

Testing
Added parametrized coverage in tests/client/test_import_export.py for unsafe entry patterns and expected validation errors.

Existing import/export tests remain in place under TestImportOvpack/TestExportOvpack.

[CLAassistant]

All committers have signed the CLA.