feat(cli): add --exclude flag to skip paths from scan and ci

[shivasurya]

Summary

• Adds --exclude (repeatable StringArray) flag to both pathfinder scan and pathfinder ci. Each value is a repo-relative path prefix; files whose path starts with any prefix are skipped at the file-walk layer, so they are never parsed or counted.
• Introduces sast-engine/cmd/exclude.go with validateExcludePatterns (normalize + reject dangerous inputs) and isExcluded (prefix-boundary match with rules matching rules/foo but not rulesx/foo).
• Threads ExcludePatterns through graph.ProgressCallbacks into graph.Initialize/getFiles, so exclusion happens before any I/O or AST work begins.

Test plan

• 36 new tests in exclude_test.go, scan_test.go, ci_test.go, utils_test.go covering: empty list, single prefix, multiple, nested prefix, exact dir match, boundary semantics (rules vs rulesx), trailing slash normalization, case sensitivity, unicode.
• Security validation: absolute paths, .. traversal, backslashes, null bytes, length > 512 all return a clear error.
• go test ./... -count=1 passes on all 30 packages (2113 tests total).
• go vet ./... clean.
• golangci-lint run ./... clean (v2.9.0).

Security notes

Validation rules applied by validateExcludePatterns before any filesystem access:

Rule	Rationale
No leading /	Absolute paths could reference files outside the project root
No .. path component	Prevents traversal to parent directories
No backslash	Rejects Windows-style paths that would silently misbehave on Linux
No null byte	Null bytes terminate C strings and bypass naive checks
Length <= 512	Guards against pathological inputs

Go does not shell-expand these patterns (no glob, no os/exec), but inputs are rejected anyway to enforce a clean repo-relative contract and prevent confusion.

🤖 Generated with Claude Code

[safedep]

SafeDep Report Summary

No dependency changes detected. Nothing to scan.

View complete scan results →

_{This report is generated by SafeDep Github App}

[github-actions]

Code Pathfinder Security Scan

No security issues detected.

Metric	Value
Files Scanned	10
Rules	205

---

_{Powered by Code Pathfinder}

[code-pathfinder]

Pathfinder Report

✅ No security findings on the changed files. This pull request is clean.

View report on the dashboard

---

Powered by Code Pathfinder.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 85.44%. Comparing base (6371812) to head (4a29334).

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #690      +/-   ##
==========================================
+ Coverage   85.43%   85.44%   +0.01%     
==========================================
  Files         187      188       +1     
  Lines       27278    27333      +55     
==========================================
+ Hits        23305    23355      +50     
- Misses       3082     3086       +4     
- Partials      891      892       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.