feat(cli): --disable-rule flag in scan and ci commands

[shivasurya]

Summary

Adds a repeatable --disable-rule <id> flag to both pathfinder scan and pathfinder ci that drops the named rules from the loader before execution. Mirrors the --exclude flag added in PR #690 in shape, validation, and wiring.

Unblocks the rule-registry feature (spec: cpf-dashboard@b748501). cpf-executor will populate the flag from per-org / per-repo overrides resolved server-side.

Validation

validateDisableRules rejects rule IDs outside [A-Za-z0-9_-]{1,64}. Strict on purpose: cpf-executor will pass these as argv elements built from a D1 lookup, and the charset stops shell metacharacters or path-traversal patterns from sneaking through even if the API layer regresses.

Empty and duplicate entries are silently dropped (matches the --exclude convention).

Test plan

• Table-driven validator unit test (11 cases): empty, single, multiple, dedup, trim, drop-empty, too-long, invalid chars, path-like, newline, null byte.
• go build ./..., go test ./... (31 packages): clean.
• Smoke: pathfinder scan -p sast-engine/test/fixtures/vulnerable_project --rules sast-engine/test/fixtures/rules/simple.py produces a TEST-001 finding. Adding --disable-rule TEST-001 reduces the rule set to zero and pathfinder correctly emits no rules loaded (proves the filter actually ran before the rule-count gate).

[safedep]

SafeDep Report Summary

No dependency changes detected. Nothing to scan.

View complete scan results →

_{This report is generated by SafeDep Github App}

[code-pathfinder]

Pathfinder Report

✅ No security findings on the changed files. This pull request is clean.

View report on the dashboard

---

Powered by Code Pathfinder.

[codecov]

Codecov Report

❌ Patch coverage is 42.85714% with 32 lines in your changes missing coverage. Please review.
✅ Project coverage is 85.48%. Comparing base (7a21c89) to head (9aeec45).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
sast-engine/cmd/ci.go	15.78%	14 Missing and 2 partials ⚠️
sast-engine/cmd/scan.go	15.78%	15 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #716      +/-   ##
==========================================
- Coverage   85.56%   85.48%   -0.09%     
==========================================
  Files         191      192       +1     
  Lines       27467    27523      +56     
==========================================
+ Hits        23503    23527      +24     
- Misses       3075     3104      +29     
- Partials      889      892       +3     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.