-- Migration 120: CRA Project SBOMs + reuse existing compliance_evidence_checks
-- For SBOM uploads (CycloneDX/SPDX), we add a dedicated table to track versions.
-- For automated checks (security.txt etc.), we reuse compliance_evidence_checks.

CREATE TABLE IF NOT EXISTS compliance_cra_sboms (
    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
    cra_project_id UUID NOT NULL,
    tenant_id VARCHAR(255) NOT NULL,
    filename VARCHAR(500) NOT NULL,
    format VARCHAR(20) NOT NULL,                -- 'cyclonedx' | 'spdx'
    spec_version VARCHAR(20),
    component_count INTEGER DEFAULT 0,
    raw_content JSONB NOT NULL DEFAULT '{}'::jsonb,
    summary JSONB DEFAULT '{}'::jsonb,           -- top-level metadata extracted
    scan_status VARCHAR(20) DEFAULT 'pending',   -- pending | scanned | failed
    scan_summary JSONB DEFAULT '{}'::jsonb,      -- osv.dev results (Phase 3.5)
    uploaded_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    scanned_at TIMESTAMPTZ
);

CREATE INDEX IF NOT EXISTS idx_cra_sboms_project ON compliance_cra_sboms(cra_project_id);
CREATE INDEX IF NOT EXISTS idx_cra_sboms_tenant ON compliance_cra_sboms(tenant_id);
CREATE INDEX IF NOT EXISTS idx_cra_sboms_uploaded ON compliance_cra_sboms(cra_project_id, uploaded_at DESC);