Fix/gad product slug

[gheyderov]

Problem: GAD slugs like go.etcd.io/etcd/client/v3 previously resulted in incorrect product names such as v3, lib, or client. This happened because the parser simply used the last path segment (parts[-1]) as the product name.

Solution: Introduced a new helper function _derive_vendor_product_from_slug(slug) with conservative heuristics to extract more meaningful vendor/product values: • Strip trailing /vN suffixes (e.g., v3, v10, v3.1) • Remove common non-product tails like lib, client, clients, sync, pkg, cmd, internal, src, test • Map github.com// → vendor = org, product = repo • For custom hosts (e.g., go.etcd.io/etcd/...) → use the second segment as product and set vendor = UNKNOWN for now

Replaced the previous parts[-1] logic with this helper in gad_source.py.

Tests: Added dedicated unit tests (test/test_gad_slug_parser.py) covering: • go.etcd.io/etcd/client/v3 → product = etcd • go.mozilla.org/sops/v3 → product = sops • github.com/cloudflare/cfrpki/sync/lib → vendor = cloudflare, product = cfrpki

pytest -k gad → 9 passed, 3 skipped.

Notes: • The heuristics are deliberately conservative; no guessing or LLM-based inference. • Additional host-specific rules can be added later if needed.