feat(sbom): add lightweight SBOM lookup endpoint for CLI delete utility

[bxf12315]

Add GET /v2/sbom/lookup endpoint that returns only sbom_id and document_id by joining only the sbom and source_document tables. This avoids the 15+ table joins of the full SBOM search endpoint, providing efficient bulk lookups for CLI prune/delete operations.

Implements TC-4003

Summary by Sourcery

Add a lightweight SBOM lookup API for efficient bulk retrieval of SBOM and document identifiers.

New Features:

• Introduce GET /api/v2/sbom/lookup endpoint to return only SBOM and document IDs for matching SBOMs.
• Add SbomLookup model and paginated response schema for lightweight SBOM lookup results.

Enhancements:

• Wire the new SBOM lookup endpoint through the SBOM service with an optimized query that joins only SBOM and source_document tables.

[sourcery-ai]

Reviewer's Guide

Adds a new lightweight SBOM lookup API and corresponding Rust service/model plumbing to support efficient bulk CLI prune/delete operations by querying only sbom and source_document and returning just sbom_id and document_id in a paginated format.

Sequence diagram for the new lightweight SBOM lookup API

sequenceDiagram
    actor CliTool
    participant SbomApi as SbomLookupEndpoint
    participant SbomService
    participant Database

    CliTool->>SbomApi: GET /v2/sbom/lookup?q=...&offset=...&limit=...
    SbomApi->>SbomService: fetch_sbom_lookups(search, paginated, connection)
    SbomService->>Database: BEGIN READ TRANSACTION
    SbomService->>Database: SELECT sbom_id, document_id
    activate Database
    Database-->>SbomService: PaginatedResults<SbomLookup>
    deactivate Database
    SbomService-->>SbomApi: PaginatedResults<SbomLookup>
    SbomApi-->>CliTool: 200 OK (JSON with items[sbom_id, document_id])

Loading

Class diagram for the SbomLookup model and service changes

classDiagram
    class SbomLookup {
        <<data>>
        +Uuid sbom_id
        +Option_String document_id
    }

    class PaginatedResults_SbomLookup {
        <<data>>
        +int64 total
        +SbomLookup[] items
    }

    class SbomService {
        +fetch_sbom_lookups(search Query, paginated Paginated, connection ConnectionTrait) PaginatedResults_SbomLookup
    }

    class Query
    class Paginated {
        +int64 offset
        +int64 limit
    }

    class ConnectionTrait

    PaginatedResults_SbomLookup "*" o-- SbomLookup : items
    SbomService ..> PaginatedResults_SbomLookup : returns
    SbomService ..> Query : uses
    SbomService ..> Paginated : uses
    SbomService ..> ConnectionTrait : uses

Loading

File-Level Changes

Change	Details	Files
Expose a new lightweight SBOM lookup REST endpoint in the OpenAPI spec and response schema.	Add GET /api/v2/sbom/lookup path with query, sort, offset, and limit parameters mirroring existing SBOM search semantics. Define PaginatedResults_SbomLookup and SbomLookup response schemas returning only sbom_id and document_id. Document the endpoint’s purpose and behavior as an efficient alternative to the full listSboms endpoint.	openapi.yaml
Register a new Actix endpoint that delegates lightweight lookup requests to the SBOM service.	Import SbomLookup model into the sbom endpoints module. Register the lookup service handler in the configure() function so it is exposed under /v2/sbom/lookup. Implement the lookup() handler that parses Query and Paginated, enforces ReadSbom auth, and returns PaginatedResults from the service.	modules/fundamental/src/sbom/endpoints/mod.rs
Implement efficient database query logic to fetch lightweight SBOM lookups with minimal joins.	Add SbomService::fetch_sbom_lookups that joins sbom with source_document only, selects sbom_id and document_id, and applies pagination. Use filtering_with with Columns from sbom and source_document and a translator for label:* filters, mirroring existing query semantics where relevant. Return results wrapped in PaginatedResults with total and items derived from the limiter helper.	modules/fundamental/src/sbom/service/sbom.rs
Introduce a new SbomLookup model for query mapping and schema generation.	Define SbomLookup struct with sbom_id (UUID serialized as URN string) and optional document_id. Derive Serialize, Deserialize, Debug, Clone, ToSchema, and FromQueryResult so it can be used both in API responses and SeaORM query mapping. Document the struct as a lightweight result tailored for bulk CLI delete/prune operations.	modules/fundamental/src/sbom/model/mod.rs

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[codecov]

Codecov Report

❌ Patch coverage is 73.91304% with 6 lines in your changes missing coverage. Please review.
✅ Project coverage is 67.71%. Comparing base (b79699e) to head (11b1790).

Files with missing lines	Patch %	Lines
modules/fundamental/src/sbom/service/sbom.rs	63.63%	4 Missing ⚠️
modules/fundamental/src/sbom/endpoints/mod.rs	83.33%	0 Missing and 2 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2313      +/-   ##
==========================================
+ Coverage   67.62%   67.71%   +0.08%     
==========================================
  Files         436      436              
  Lines       24835    24858      +23     
  Branches    24835    24858      +23     
==========================================
+ Hits        16795    16832      +37     
+ Misses       7151     7128      -23     
- Partials      889      898       +9     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[ctron]

I am against adding a random use case without having a clear picture how we want to manage the API. Just adding a new endpoint, out of pattern with the rest, ignoring the ongoing change of the API will only create more clutter, make the code more complex.

There is a new v3 "list SBOMs" endpoint, which wasn't release yet. So we can break it's API. This has to be coordinated with the UI. The possible deficiencies of this endpoint can be worked on. Which serves everyone.