feat(go): third-party type resolution from vendor/GOMODCACHE

[shivasurya]

Summary

Adds foundational Go third-party type resolution: validated method calls on gorm, gin, grpc, and any other vendored/cached dependency — replacing the previous best-effort fallback.

What this PR delivers

• GoThirdPartyLoader interface (core/types.go) — mirrors GoStdlibLoader, reuses GoStdlibType/GoStdlibPackage (zero new types)
• GoThirdPartyLocalLoader (registry/go_thirdparty_local.go) — parses vendor/ or GOMODCACHE via tree-sitter; extracts exported types, methods, fields, functions; flattens embedded interface methods (same-package recursive + well-known cross-package io.Closer/io.Reader/etc.)
• Pattern 1b Check 2.5 (builder/go_builder.go) — sits between Check 2 (stdlib) and Check 3 (promoted methods); validates third-party method calls against extracted metadata
• Return type inference (extraction/go_variables.go) — inferTypeFromThirdPartyFunction() infers return types from third-party constructors (e.g. gorm.Open → *gorm.DB)
• Disk cache — {userCacheDir}/code-pathfinder/go-thirdparty/{sha256(projectRoot)[:12]}/ with cache-index.json version tracking; cold run ~50-200ms, warm run ~5ms; version mismatch triggers re-extraction
• --refresh-rules integration — reuses existing flag to also flush the go-thirdparty disk cache (no new flag)

Resolution chain after this PR

Check 1   → user code (callGraph.Functions)
Check 2   → stdlib CDN (167 packages)
Check 2.5 → third-party vendor/GOMODCACHE  ← NEW
Check 3   → promoted methods (struct embedding)
Check 4   → best-effort FQN fallback

PoC validation (from branch shiva/go-thirdparty-poc)

• vendored gorm + gin stubs: 7/7 calls resolved via Check 2.5
• real vendored posthog-go: 4/4 calls resolved (including embedded io.Closer and EnqueueClient)

Test plan

• TestDiskCacheWriteAndRead — cold run writes JSON, warm run reads from disk without vendor/
• TestCacheVersionMismatch — go.mod version bump triggers re-extraction
• TestRefreshCacheFlush — refreshCache=true wipes stale cache and re-extracts
• TestGormCheck25 / TestGinSubpackageResolution — full pipeline integration tests
• All existing registry and builder tests pass (go test ./... -count=1)

🤖 Generated with Claude Code

[safedep]

SafeDep Report Summary

No dependency changes detected. Nothing to scan.

View complete scan results →

_{This report is generated by SafeDep Github App}

[github-actions]

Code Pathfinder Security Scan

No security issues detected.

Metric	Value
Files Scanned	11
Rules	205

---

_{Powered by Code Pathfinder}

[codecov]

Codecov Report

❌ Patch coverage is 83.98510% with 86 lines in your changes missing coverage. Please review.
✅ Project coverage is 84.21%. Comparing base (e11335d) to head (994c4bd).

Files with missing lines	Patch %	Lines
...ne/graph/callgraph/registry/go_thirdparty_local.go	83.60%	48 Missing and 33 partials ⚠️
...-engine/graph/callgraph/extraction/go_variables.go	80.95%	2 Missing and 2 partials ⚠️
sast-engine/cmd/scan.go	0.00%	1 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff            @@
##             main     #641    +/-   ##
========================================
  Coverage   84.21%   84.21%            
========================================
  Files         161      162     +1     
  Lines       22719    23256   +537     
========================================
+ Hits        19133    19586   +453     
- Misses       2886     2936    +50     
- Partials      700      734    +34     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.