prefetchMissingPackageArchives and ensurePackageArchiveCached both
downloaded package archives with DownloadOptions{} - no expected_hash -
even though the signed repo db already carries the correct archive_hash
for every package. A tampered mirror or corrupted transfer would be
silently cached and later extracted; the eventual content_hash check
during store admission happens only after extraction has already run.
Pass expected_hash = pkg.archive_hash at both call sites. The
underlying hash verification in download.downloadFile/downloadBatch
already existed and was already tested - this was purely a wiring gap.
Two existing tests used placeholder hashes ("a" * 64 / "b" * 64) that
didn't match their dummy archive bodies; fixed them to use the real
hash of the body now that it's actually checked. Added a regression
test that a tampered archive gets rejected before it's cached.