SBOM generation for releases

[Brad-Edwards]

Pre-1.0 security item (ADR-0021)

Generate Software Bill of Materials for Rust and Python releases.

Decisions needed before spec

• Format: SPDX vs CycloneDX
• Who consumes the SBOM (compliance, downstream users, internal only?)
• Where to publish (release asset, separate registry?)

When to action

When the first crate or Python package is published to crates.io/PyPI.

References

• STANDARDS.md §10.5
• ADR-0021 Layer 1 (Supply Chain)