added signed artifacts and SBOM generation capabilities

internal/models/migrations/001_init.go

@@ -52,5 +52,11 @@ func Run(engine *xorm.Engine) error {
 	if err := Run013(engine); err != nil {
 		return err
 	}
-	return Run014(engine)
+	if err := Run014(engine); err != nil {
+		return err
+	}
+	if err := Run015(engine); err != nil {
+		return err
+	}
+	return Run016(engine)
 }

internal/models/migrations/015_signing.go

@@ -0,0 +1,10 @@
+package migrations
+
+import (
+	"github.com/forgeo/forgebucket/internal/models"
+	"xorm.io/xorm"
+)
+
+func Run015(engine *xorm.Engine) error {
+	return engine.Sync2(&models.ArtifactSignature{})
+}

internal/models/migrations/016_sbom.go

@@ -0,0 +1,10 @@
+package migrations
+
+import (
+	"github.com/forgeo/forgebucket/internal/models"
+	"xorm.io/xorm"
+)
+
+func Run016(engine *xorm.Engine) error {
+	return engine.Sync2(&models.SBOMReport{})
+}

internal/models/sbom.go

@@ -0,0 +1,17 @@
+package models
+
+import "time"
+
+// SBOMReport stores the generated CycloneDX BOM for a repo at a specific SHA.
+// BOMDocument holds the full JSON but is not returned by list endpoints —
+// use the dedicated document endpoint to stream it.
+type SBOMReport struct {
+	ID             int64     `xorm:"'id' pk autoincr"              json:"id"`
+	RepoID         int64     `xorm:"'repo_id' notnull index"       json:"repoId"`
+	RunID          int64     `xorm:"'run_id' index"                json:"runId"`  // 0 = on-demand
+	SHA            string    `xorm:"'sha' varchar(40)"             json:"sha"`
+	Format         string    `xorm:"'format' varchar(30)"          json:"format"` // "cyclonedx-json-1.4"
+	ComponentCount int       `xorm:"'component_count'"             json:"componentCount"`
+	BOMDocument    string    `xorm:"'bom_document' text"           json:"-"` // full JSON, not returned in lists
+	GeneratedAt    time.Time `xorm:"'generated_at'"                json:"generatedAt"`
+}

internal/models/signing.go

@@ -0,0 +1,16 @@
+package models
+
+import "time"
+
+// ArtifactSignature stores the Cosign-compatible signature bundle produced
+// when an artifact is uploaded.  The BundleJSON field is the full self-contained
+// bundle so consumers can verify without hitting the API again.
+type ArtifactSignature struct {
+	ID         int64     `xorm:"'id' pk autoincr"               json:"id"`
+	ArtifactID int64     `xorm:"'artifact_id' notnull unique"   json:"artifactId"`
+	KeyID      string    `xorm:"'key_id' varchar(32)"           json:"keyId"`
+	Algorithm  string    `xorm:"'algorithm' varchar(50)"        json:"algorithm"` // "ecdsa-p256-sha256"
+	Digest     string    `xorm:"'digest' varchar(80)"           json:"digest"`    // "sha256:<hex>"
+	BundleJSON string    `xorm:"'bundle_json' text"             json:"-"`         // full bundle, not surfaced directly
+	SignedAt   time.Time `xorm:"'signed_at'"                    json:"signedAt"`
+}