🔒 Saturate timestamp nanosecond addition during entry parsing

Use `time::Duration::saturating_add` instead of `+` for ctime/mtime/atime
when combining seconds (cTIM/mTIM/aTIM) with nanoseconds (cTNS/mTNS/aTNS)
in `NormalEntry` parsing.

`time::Duration` panics on i64 second overflow, but the upstream `nanos()`
helper already rejects values `>= 1_000_000_000`, so the previous `+`
cannot actually panic for any archive that passes existing chunk
validation. The change is defense-in-depth: if `nanos()` is ever relaxed
or upstream `time::Duration` semantics change, the parser stays total
without introducing a new `InvalidData` error path that would reject
archives that decode cleanly today.

No behavior change for archives whose nanoseconds satisfy the existing
0..1_000_000_000 constraint.

Author: google-labs-jules[bot]

lib/src/entry.rs

@@ -681,9 +681,12 @@ where
                 }
             }
         }
-        let ctime = ctime.map(|t| t + Duration::nanoseconds(ctime_ns.unwrap_or(0) as _));
-        let mtime = mtime.map(|t| t + Duration::nanoseconds(mtime_ns.unwrap_or(0) as _));
-        let atime = atime.map(|t| t + Duration::nanoseconds(atime_ns.unwrap_or(0) as _));
+        let ctime =
+            ctime.map(|t| t.saturating_add(Duration::nanoseconds(ctime_ns.unwrap_or(0) as _)));
+        let mtime =
+            mtime.map(|t| t.saturating_add(Duration::nanoseconds(mtime_ns.unwrap_or(0) as _)));
+        let atime =
+            atime.map(|t| t.saturating_add(Duration::nanoseconds(atime_ns.unwrap_or(0) as _)));
 
         Ok(Self {
             header,