fix: verify dotnet/runtime benchmark target

[mstykow]

Summary

• Fix npm sibling assembly so package-lock.json dependencies survive when sibling npm manifests omit full identity but still clearly refer to the same package name.
• Recognize zlib-style configure headers as autotools package surfaces and cover the parser change with focused unit and golden tests.
• Add a follow-up copyright/holder/author cleanup pass for dotnet/runtime that drops XML/feed element-value noise, version-info and DTD metadata spans, and code-like member-access / unicode-escape junk while preserving legitimate markup author attributes.
• Re-verify dotnet/runtime @ d1163e5 with compare-outputs --profile common, updating the final evidence path to .provenant/compare-runs/20260429T185606Z-runtime-45960 and reducing runtime junk higher-count deltas from authors 120 -> 96, holders 65 -> 47, and copyrights 56 -> 37 versus the original benchmark checkpoint run.

Scope and exclusions

• Included: one compare-outputs --profile common verification lane for https://github.com/dotnet/runtime.git at d1163e5a8f3f3aaa374993e8b5805911689aba28, targeted assembly/parser/copyright-detector fixes, and the resulting benchmark documentation refresh already on this branch.
• Explicit exclusions: no scorecard row edits because .NET / NuGet is already verified and this PR remains a benchmark checkpoint plus general scanner-quality fixes; no changes for the remaining reviewed compare tail where ScanCode times out on EncryptedXmlSample4.xml or reports extra clue/binary-license noise (google-cla on brotli/CONTRIBUTING.md, NGPL on the wasm .dat assets).

Expected-output fixture changes

• Files changed: testdata/autotools/zlib-ng/configure.expected.json
• Why the new expected output is correct: the autotools parser now intentionally recognizes generated configure scripts that advertise themselves with a # configure script for ... header, so the new golden locks in the corrected pkg:autotools/zlib-ng package identity for that parser surface.