feat: CDN registry generator for Go third-party packages

[shivasurya]

Summary

• Adds ExtractSinglePackage(packageDir, importPath string) (*Package, error) to tools/internal/goextract — reuses the existing go/ast extraction pipeline for a single directory (third-party module cache path from go mod download -json)
• Adds tools/generate_go_thirdparty_registry.go CLI tool (build tag: cpf_generate_thirdparty_registry) that downloads modules, extracts exported APIs, writes per-package JSON + manifest.json with sha256 checksums — produces CDN content consumed by GoThirdPartyRegistryRemote from PR-06
• Adds tools/top1000.txt with Tier 1 (~30 security-relevant packages): web frameworks, ORM/DB drivers, HTTP clients, auth/crypto, logging, cloud SDKs
• Module path encoding (slashes → underscores) is consistent with PR-06's encodeModulePath
• Tool continues on per-package failures (skip + log, no abort) and sorts manifest alphabetically for deterministic output

Test plan

• go test ./tools/internal/goextract/ — all existing + 9 new ExtractSinglePackage tests pass
• go test -tags cpf_generate_thirdparty_registry ./tools/ — 16 CLI helper tests (readPackageList, encodeModulePath, downloadModule with injected runner, end-to-end pipeline)
• go test ./... — full suite clean
• golangci-lint run ./tools/internal/goextract/ — zero issues
• golangci-lint run --build-tags cpf_generate_thirdparty_registry ./tools/ — zero issues
• Checksum format "sha256:" + hex matches PR-06 loader verification

🤖 Generated with Claude Code

[safedep]

SafeDep Report Summary

No dependency changes detected. Nothing to scan.

View complete scan results →

_{This report is generated by SafeDep Github App}

[github-actions]

Code Pathfinder Security Scan

No security issues detected.

Metric	Value
Files Scanned	5
Rules	205

---

_{Powered by Code Pathfinder}

[codecov]

Codecov Report

❌ Patch coverage is 86.66667% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 84.45%. Comparing base (f3bd26c) to head (e51b501).

Files with missing lines	Patch %	Lines
sast-engine/tools/internal/goextract/extractor.go	86.66%	2 Missing and 2 partials ⚠️

Additional details and impacted files

@@                      Coverage Diff                       @@
##           shiva/pr-06-golang-thirdparty     #647   +/-   ##
==============================================================
  Coverage                          84.45%   84.45%           
==============================================================
  Files                                163      163           
  Lines                              23564    23594   +30     
==============================================================
+ Hits                               19900    19926   +26     
- Misses                              2918     2920    +2     
- Partials                             746      748    +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.