feat(state-hub): v0.3 schema — contributions + sbom_entries migrations, models, schemas, routers

Migrations (chain: b1c2d3e4f5a6 → c2d3e4f5a6b7 → d3e4f5a6b7c8):
- c2d3e4f5a6b7: contributions table (contributiontype BR/FR/EP/UPR enum,
  contributionstatus 7-state lifecycle, FKs to topics/workstreams)
- d3e4f5a6b7c8: sbom_entries table (ecosystem enum, snapshot-based replacement),
  + sbom_source + last_sbom_at columns on managed_repos

New models: Contribution (ContributionType, ContributionStatus), SBOMEntry (Ecosystem)
Modified: ManagedRepo (sbom_source, last_sbom_at columns)

New routers:
- /contributions/ — CRUD + lifecycle-guarded PATCH /status + soft-delete (withdrawn)
- /sbom/ — ingest (replace snapshot), list, per-repo view, licence report

Modified:
- /state/summary now includes contribution_counts and licence_risk_count
- main.py: registers contributions + sbom routers; bumps version to 0.6.0

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

api/routers/contributions.py

@@ -0,0 +1,147 @@
+import uuid
+from datetime import datetime, timezone
+
+from fastapi import APIRouter, Depends, HTTPException, Query, status
+from sqlalchemy import select
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from api.database import get_session
+from api.models.contribution import Contribution, ContributionStatus, ContributionType
+from api.schemas.contribution import ContributionCreate, ContributionRead, ContributionStatusPatch
+
+router = APIRouter(prefix="/contributions", tags=["contributions"])
+
+# Valid forward transitions in the lifecycle
+_VALID_TRANSITIONS: dict[ContributionStatus, set[ContributionStatus]] = {
+    ContributionStatus.draft: {
+        ContributionStatus.submitted,
+        ContributionStatus.withdrawn,
+    },
+    ContributionStatus.submitted: {
+        ContributionStatus.acknowledged,
+        ContributionStatus.rejected,
+        ContributionStatus.withdrawn,
+    },
+    ContributionStatus.acknowledged: {
+        ContributionStatus.accepted,
+        ContributionStatus.rejected,
+        ContributionStatus.withdrawn,
+    },
+    ContributionStatus.accepted: {
+        ContributionStatus.merged,
+        ContributionStatus.withdrawn,
+    },
+    ContributionStatus.rejected: set(),
+    ContributionStatus.merged: set(),
+    ContributionStatus.withdrawn: set(),
+}
+
+
+@router.get("/", response_model=list[ContributionRead])
+async def list_contributions(
+    type: ContributionType | None = Query(None),
+    status: ContributionStatus | None = Query(None),
+    target_repo: str | None = Query(None),
+    session: AsyncSession = Depends(get_session),
+) -> list[Contribution]:
+    q = select(Contribution).order_by(Contribution.created_at.desc())
+    if type is not None:
+        q = q.where(Contribution.type == type)
+    if status is not None:
+        q = q.where(Contribution.status == status)
+    if target_repo:
+        q = q.where(Contribution.target_repo == target_repo)
+    result = await session.execute(q)
+    return list(result.scalars().all())
+
+
+@router.post("/", response_model=ContributionRead, status_code=status.HTTP_201_CREATED)
+async def create_contribution(
+    body: ContributionCreate,
+    session: AsyncSession = Depends(get_session),
+) -> Contribution:
+    contrib = Contribution(
+        type=body.type,
+        target_org=body.target_org,
+        target_repo=body.target_repo,
+        slug=body.slug,
+        title=body.title,
+        body_path=body.body_path,
+        related_topic_id=body.related_topic_id,
+        related_workstream_id=body.related_workstream_id,
+        notes=body.notes,
+        status=ContributionStatus.draft,
+    )
+    session.add(contrib)
+    await session.commit()
+    await session.refresh(contrib)
+    return contrib
+
+
+@router.get("/{contribution_id}/", response_model=ContributionRead)
+async def get_contribution(
+    contribution_id: uuid.UUID,
+    session: AsyncSession = Depends(get_session),
+) -> Contribution:
+    return await _get_or_404(contribution_id, session)
+
+
+@router.patch("/{contribution_id}/status", response_model=ContributionRead)
+async def patch_contribution_status(
+    contribution_id: uuid.UUID,
+    body: ContributionStatusPatch,
+    session: AsyncSession = Depends(get_session),
+) -> Contribution:
+    contrib = await _get_or_404(contribution_id, session)
+    allowed = _VALID_TRANSITIONS.get(contrib.status, set())
+    if body.status not in allowed:
+        raise HTTPException(
+            status_code=422,
+            detail=(
+                f"Cannot transition from '{contrib.status}' to '{body.status}'. "
+                f"Allowed: {[s.value for s in allowed] or 'none (terminal state)'}"
+            ),
+        )
+    contrib.status = body.status
+    if body.notes:
+        contrib.notes = body.notes
+    now = datetime.now(tz=timezone.utc)
+    if body.status == ContributionStatus.submitted:
+        contrib.submitted_at = now
+    elif body.status in (
+        ContributionStatus.accepted, ContributionStatus.rejected,
+        ContributionStatus.merged, ContributionStatus.withdrawn,
+    ):
+        contrib.resolved_at = now
+    await session.commit()
+    await session.refresh(contrib)
+    return contrib
+
+
+@router.delete("/{contribution_id}/", status_code=status.HTTP_204_NO_CONTENT)
+async def withdraw_contribution(
+    contribution_id: uuid.UUID,
+    session: AsyncSession = Depends(get_session),
+) -> None:
+    """Soft-delete: sets status to 'withdrawn'."""
+    contrib = await _get_or_404(contribution_id, session)
+    if contrib.status == ContributionStatus.withdrawn:
+        return  # idempotent
+    if contrib.status in (ContributionStatus.merged, ContributionStatus.rejected):
+        raise HTTPException(
+            status_code=409,
+            detail=f"Cannot withdraw a contribution with status '{contrib.status}'.",
+        )
+    contrib.status = ContributionStatus.withdrawn
+    contrib.resolved_at = datetime.now(tz=timezone.utc)
+    await session.commit()
+
+
+async def _get_or_404(contribution_id: uuid.UUID, session: AsyncSession) -> Contribution:
+    result = await session.execute(
+        select(Contribution).where(Contribution.id == contribution_id)
+    )
+    contrib = result.scalar_one_or_none()
+    if contrib is None:
+        raise HTTPException(status_code=404, detail=f"Contribution '{contribution_id}' not found")
+    return contrib

api/routers/sbom.py

@@ -0,0 +1,146 @@
+from datetime import datetime, timezone
+
+from fastapi import APIRouter, Depends, HTTPException, Query
+from sqlalchemy import delete, func, select
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from api.database import get_session
+from api.models.managed_repo import ManagedRepo
+from api.models.sbom_entry import Ecosystem, SBOMEntry
+from api.schemas.sbom import (
+    LicenceGroup,
+    LicenceReport,
+    SBOMEntryRead,
+    SBOMIngest,
+    SBOMRepoView,
+)
+
+router = APIRouter(prefix="/sbom", tags=["sbom"])
+
+_COPYLEFT_PATTERNS = {"GPL", "AGPL", "LGPL", "EUPL", "CDDL", "MPL"}
+
+
+def _is_copyleft(spdx: str | None) -> bool:
+    if not spdx:
+        return False
+    upper = spdx.upper()
+    return any(pat in upper for pat in _COPYLEFT_PATTERNS)
+
+
+@router.post("/ingest/")
+async def ingest_sbom(
+    body: SBOMIngest,
+    session: AsyncSession = Depends(get_session),
+) -> dict:
+    """Replace the SBOM snapshot for a repo. Old entries are deleted first."""
+    repo = await _get_repo_by_slug(body.repo_slug, session)
+    now = datetime.now(tz=timezone.utc)
+
+    # Delete existing snapshot for this repo
+    await session.execute(delete(SBOMEntry).where(SBOMEntry.repo_id == repo.id))
+
+    # Insert new entries
+    for entry in body.entries:
+        sbom = SBOMEntry(
+            repo_id=repo.id,
+            package_name=entry.package_name,
+            package_version=entry.package_version,
+            ecosystem=entry.ecosystem,
+            license_spdx=entry.license_spdx,
+            is_direct=entry.is_direct,
+            is_dev=entry.is_dev,
+            snapshot_at=now,
+            created_at=now,
+        )
+        session.add(sbom)
+
+    repo.last_sbom_at = now
+    if not repo.sbom_source:
+        repo.sbom_source = "manual"
+
+    await session.commit()
+    return {"repo_slug": body.repo_slug, "ingested": len(body.entries), "snapshot_at": now.isoformat()}
+
+
+@router.get("/")
+async def list_sbom_entries(
+    repo_slug: str | None = Query(None),
+    ecosystem: Ecosystem | None = Query(None),
+    license_spdx: str | None = Query(None),
+    is_direct: bool | None = Query(None),
+    is_dev: bool | None = Query(None),
+    session: AsyncSession = Depends(get_session),
+) -> list[SBOMEntryRead]:
+    q = select(SBOMEntry).order_by(SBOMEntry.package_name)
+    if repo_slug:
+        repo = await _get_repo_by_slug(repo_slug, session)
+        q = q.where(SBOMEntry.repo_id == repo.id)
+    if ecosystem is not None:
+        q = q.where(SBOMEntry.ecosystem == ecosystem)
+    if license_spdx:
+        q = q.where(SBOMEntry.license_spdx == license_spdx)
+    if is_direct is not None:
+        q = q.where(SBOMEntry.is_direct == is_direct)
+    if is_dev is not None:
+        q = q.where(SBOMEntry.is_dev == is_dev)
+    result = await session.execute(q)
+    return [SBOMEntryRead.model_validate(e) for e in result.scalars().all()]
+
+
+@router.get("/report/licences/", response_model=LicenceReport)
+async def licence_report(
+    session: AsyncSession = Depends(get_session),
+) -> LicenceReport:
+    """Group SBOM entries by SPDX licence identifier, flag copyleft."""
+    rows = await session.execute(
+        select(SBOMEntry, ManagedRepo.slug)
+        .join(ManagedRepo, ManagedRepo.id == SBOMEntry.repo_id)
+    )
+    # Build: license_spdx → {count, repos set}
+    groups: dict[str | None, dict] = {}
+    copyleft_direct_count = 0
+    for entry, repo_slug in rows.all():
+        key = entry.license_spdx
+        if key not in groups:
+            groups[key] = {"count": 0, "repos": set()}
+        groups[key]["count"] += 1
+        groups[key]["repos"].add(repo_slug)
+        if _is_copyleft(key) and entry.is_direct and not entry.is_dev:
+            copyleft_direct_count += 1
+
+    licence_groups = [
+        LicenceGroup(
+            license_spdx=lic,
+            count=info["count"],
+            repos=sorted(info["repos"]),
+            is_copyleft=_is_copyleft(lic),
+        )
+        for lic, info in sorted(groups.items(), key=lambda x: -x[1]["count"])
+    ]
+    return LicenceReport(groups=licence_groups, copyleft_direct_count=copyleft_direct_count)
+
+
+@router.get("/{repo_slug}/", response_model=SBOMRepoView)
+async def get_repo_sbom(
+    repo_slug: str,
+    session: AsyncSession = Depends(get_session),
+) -> SBOMRepoView:
+    repo = await _get_repo_by_slug(repo_slug, session)
+    rows = await session.execute(
+        select(SBOMEntry).where(SBOMEntry.repo_id == repo.id).order_by(SBOMEntry.package_name)
+    )
+    entries = list(rows.scalars().all())
+    return SBOMRepoView(
+        repo_slug=repo_slug,
+        last_sbom_at=repo.last_sbom_at,
+        entry_count=len(entries),
+        entries=[SBOMEntryRead.model_validate(e) for e in entries],
+    )
+
+
+async def _get_repo_by_slug(slug: str, session: AsyncSession) -> ManagedRepo:
+    result = await session.execute(select(ManagedRepo).where(ManagedRepo.slug == slug))
+    repo = result.scalar_one_or_none()
+    if repo is None:
+        raise HTTPException(status_code=404, detail=f"Repo '{slug}' not found")
+    return repo

api/routers/state.py

@@ -6,11 +6,13 @@ from sqlalchemy import func, select, text
 from sqlalchemy.ext.asyncio import AsyncSession
 
 from api.database import get_session, engine
+from api.models.contribution import Contribution, ContributionStatus, ContributionType
 from api.models.decision import Decision, DecisionStatus, DecisionType
 from api.models.domain import Domain
 from api.models.extension_point import ExtensionPoint
 from api.models.managed_repo import ManagedRepo
 from api.models.progress_event import ProgressEvent
+from api.models.sbom_entry import SBOMEntry
 from api.models.task import Task, TaskPriority, TaskStatus
 from api.models.technical_debt import TechnicalDebt
 from api.models.topic import Topic, TopicStatus
@@ -175,6 +177,33 @@ async def get_summary(session: AsyncSession = Depends(get_session)) -> StateSumm
     # Domain summary stats
     domain_summaries = await _build_domain_summaries(session)
 
+    # Contribution counts (by type and status)
+    contrib_type_counts = {r[0].value: r[1] for r in await session.execute(
+        select(Contribution.type, func.count()).group_by(Contribution.type)
+    )}
+    contrib_status_counts = {r[0].value: r[1] for r in await session.execute(
+        select(Contribution.status, func.count()).group_by(Contribution.status)
+    )}
+    contribution_counts = {**contrib_type_counts, **contrib_status_counts}
+
+    # Licence risk: copyleft packages in direct prod deps
+    _COPYLEFT_PATS = ("GPL", "AGPL", "LGPL", "EUPL", "CDDL", "MPL")
+    copyleft_risk_rows = await session.execute(
+        select(func.count()).select_from(SBOMEntry)
+        .where(SBOMEntry.is_direct.is_(True))
+        .where(SBOMEntry.is_dev.is_(False))
+    )
+    # Filter in Python since ILIKE across multiple patterns is verbose in SQLAlchemy
+    all_direct_prod_rows = await session.execute(
+        select(SBOMEntry.license_spdx)
+        .where(SBOMEntry.is_direct.is_(True))
+        .where(SBOMEntry.is_dev.is_(False))
+    )
+    licence_risk_count = sum(
+        1 for (lic,) in all_direct_prod_rows.all()
+        if lic and any(pat in lic.upper() for pat in _COPYLEFT_PATS)
+    )
+
     return StateSummary(
         generated_at=datetime.now(tz=timezone.utc),
         totals=totals,
@@ -184,6 +213,8 @@ async def get_summary(session: AsyncSession = Depends(get_session)) -> StateSumm
         recent_progress=[ProgressEventRead.model_validate(e) for e in recent],
         next_steps=next_steps,
         domains=domain_summaries,
+        contribution_counts=contribution_counts,
+        licence_risk_count=licence_risk_count,
         open_workstreams=[
             WorkstreamWithDeps(
                 **WorkstreamRead.model_validate(w).model_dump(),