fix: improve custom SAST rule activation, filtering semantics + config observability

[lelia]

Summary

This PR improves custom SAST execution gaps and makes config behavior observable in logs. It also hardens precedence handling so environment/API custom-rule settings are not unintentionally overwritten by CLI defaults.

Changes

• Normalize custom SAST API fields:
  • useCustomSastRules -> use_custom_sast_rules
  • customSastRulePath / customSastRulesPath -> custom_sast_rule_path
• Improve runtime observability:
  • config-source/effective custom SAST logs
  • OpenGrep rule selection logs (custom vs bundled)
  • enabled-rule filter visibility
• Fix dynamic CLI arg defaults:
  • use None defaults for dynamic string/int args so absent CLI args do not override env/API config
• Adjust custom-rule filtering semantics:
  • when using custom rules, and allowlist IDs do not match custom rule IDs, use all custom rules for that language and warn the user
  • when allowlist IDs do match custom IDs, apply allowlist as expected
• Clarify docs for custom rules and precedence

Adds

• tests/test_config_custom_sast.py
  • API normalization tests
  • env/API/JSON merge precedence tests
  • regression test for dynamic CLI default overwrite issue
• tests/test_opengrep_custom_rules.py
  • custom-vs-bundled config selection tests
  • custom allowlist mismatch/match semantic tests
  • fallback logic test

Testing

• All new and existing unit tests pass
• Local dry-run validation confirming:
  • resolved custom path
  • temp custom rule files generated
  • OpenGrep command uses custom temp files
  • warning when allowlist IDs do not match custom IDs