fix: SBOM multi-ecosystem support with correct package managers and licenses

- Extract package manager from PURL instead of CycloneDX component type
  (was showing "library"/"file" instead of "npm"/"cargo"/"pip" etc.)
- Generate missing lock files (Cargo.lock, package-lock.json) before Syft
  scan so repos that gitignore them still get full dependency trees
- Enable Syft remote license lookups for Go, JS, Python, and Java
- Enrich Cargo entries with license data from cargo metadata
- Parse CycloneDX license expressions (e.g. "MIT OR Apache-2.0")
- Delete stale SBOM entries on rescan instead of only upserting
- Add /api/v1/sbom/filters endpoint for dynamic filter options
- Make manager and license dropdowns dynamic from actual DB data
- Add cargo, npm, go, php, ruby, composer, bundler to Docker image

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

compliance-agent/src/api/handlers/mod.rs

@@ -554,6 +554,37 @@ pub async fn update_finding_feedback(
     Ok(Json(serde_json::json!({ "status": "updated" })))
 }
 
+pub async fn sbom_filters(
+    Extension(agent): AgentExt,
+) -> Result<Json<serde_json::Value>, StatusCode> {
+    let db = &agent.db;
+
+    let managers: Vec<String> = db
+        .sbom_entries()
+        .distinct("package_manager", doc! {})
+        .await
+        .unwrap_or_default()
+        .into_iter()
+        .filter_map(|v| v.as_str().map(|s| s.to_string()))
+        .filter(|s| !s.is_empty() && s != "unknown" && s != "file")
+        .collect();
+
+    let licenses: Vec<String> = db
+        .sbom_entries()
+        .distinct("license", doc! {})
+        .await
+        .unwrap_or_default()
+        .into_iter()
+        .filter_map(|v| v.as_str().map(|s| s.to_string()))
+        .filter(|s| !s.is_empty())
+        .collect();
+
+    Ok(Json(serde_json::json!({
+        "package_managers": managers,
+        "licenses": licenses,
+    })))
+}
+
 pub async fn list_sbom(
     Extension(agent): AgentExt,
     Query(filter): Query<SbomFilter>,