chore(sonar): exclude e2e specs + suppress go:S4036 PATH hotspots (#8)

Two narrow tightenings to cut Sonar noise:

- ui/e2e/** added to sonar.exclusions. Playwright specs are test
  scaffolding (own runner, fixtures, repeat boilerplate) and were
  showing up as ~45% duplicated source code, polluting the dup metric.
- go:S4036 (PATH variable usage) suppressed project-wide via
  sonar.issue.ignore.multicriteria. ctm is a CLI orchestrator that
  resolves user-installed tools (git, tmux, claude, gh) through \$PATH
  on whatever box it's running on; hardcoded absolutes aren't viable
  across macOS / Linux / Homebrew. Was firing on 30 lines without
  flagging a real risk.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: aksOps

sonar-project.properties

@@ -24,11 +24,25 @@ sonar.exclusions=\
     **/.codeiq/**,\
     internal/serve/dist/**,\
     ui/coverage/**,\
+    ui/e2e/**,\
     ui/playwright-report/**,\
     ui/test-results/**,\
     coverage.out,\
     docs/**
 
+# ── Issue suppressions ─────────────────────────────────────────────────
+# go:S4036 — "Make sure the PATH variable only contains fixed,
+# unwriteable directories." ctm is a CLI orchestrator that intentionally
+# resolves user-installed tools (git, tmux, claude, gh) via $PATH on
+# whatever box it's running on. Hardcoded absolute paths aren't viable
+# across macOS / Linux / Homebrew / system installs. The risk model is
+# the user's own shell, not a service account on a server, so the rule
+# fires by design rather than flagging real issues. Suppressed
+# project-wide.
+sonar.issue.ignore.multicriteria=path
+sonar.issue.ignore.multicriteria.path.ruleKey=go:S4036
+sonar.issue.ignore.multicriteria.path.resourceKey=**/*.go
+
 # ── Tests ──────────────────────────────────────────────────────────────
 # Sonar separates "test code" from "production code" so coverage and
 # duplication metrics target the right files. Playwright e2e specs