feat(state-hub): v0.3 schema — contributions + sbom_entries migrations, models, schemas, routers

Migrations (chain: b1c2d3e4f5a6 → c2d3e4f5a6b7 → d3e4f5a6b7c8):
- c2d3e4f5a6b7: contributions table (contributiontype BR/FR/EP/UPR enum,
  contributionstatus 7-state lifecycle, FKs to topics/workstreams)
- d3e4f5a6b7c8: sbom_entries table (ecosystem enum, snapshot-based replacement),
  + sbom_source + last_sbom_at columns on managed_repos

New models: Contribution (ContributionType, ContributionStatus), SBOMEntry (Ecosystem)
Modified: ManagedRepo (sbom_source, last_sbom_at columns)

New routers:
- /contributions/ — CRUD + lifecycle-guarded PATCH /status + soft-delete (withdrawn)
- /sbom/ — ingest (replace snapshot), list, per-repo view, licence report

Modified:
- /state/summary now includes contribution_counts and licence_risk_count
- main.py: registers contributions + sbom routers; bumps version to 0.6.0

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

api/routers/state.py

@@ -6,11 +6,13 @@ from sqlalchemy import func, select, text
 from sqlalchemy.ext.asyncio import AsyncSession
 
 from api.database import get_session, engine
+from api.models.contribution import Contribution, ContributionStatus, ContributionType
 from api.models.decision import Decision, DecisionStatus, DecisionType
 from api.models.domain import Domain
 from api.models.extension_point import ExtensionPoint
 from api.models.managed_repo import ManagedRepo
 from api.models.progress_event import ProgressEvent
+from api.models.sbom_entry import SBOMEntry
 from api.models.task import Task, TaskPriority, TaskStatus
 from api.models.technical_debt import TechnicalDebt
 from api.models.topic import Topic, TopicStatus
@@ -175,6 +177,33 @@ async def get_summary(session: AsyncSession = Depends(get_session)) -> StateSumm
     # Domain summary stats
     domain_summaries = await _build_domain_summaries(session)
 
+    # Contribution counts (by type and status)
+    contrib_type_counts = {r[0].value: r[1] for r in await session.execute(
+        select(Contribution.type, func.count()).group_by(Contribution.type)
+    )}
+    contrib_status_counts = {r[0].value: r[1] for r in await session.execute(
+        select(Contribution.status, func.count()).group_by(Contribution.status)
+    )}
+    contribution_counts = {**contrib_type_counts, **contrib_status_counts}
+
+    # Licence risk: copyleft packages in direct prod deps
+    _COPYLEFT_PATS = ("GPL", "AGPL", "LGPL", "EUPL", "CDDL", "MPL")
+    copyleft_risk_rows = await session.execute(
+        select(func.count()).select_from(SBOMEntry)
+        .where(SBOMEntry.is_direct.is_(True))
+        .where(SBOMEntry.is_dev.is_(False))
+    )
+    # Filter in Python since ILIKE across multiple patterns is verbose in SQLAlchemy
+    all_direct_prod_rows = await session.execute(
+        select(SBOMEntry.license_spdx)
+        .where(SBOMEntry.is_direct.is_(True))
+        .where(SBOMEntry.is_dev.is_(False))
+    )
+    licence_risk_count = sum(
+        1 for (lic,) in all_direct_prod_rows.all()
+        if lic and any(pat in lic.upper() for pat in _COPYLEFT_PATS)
+    )
+
     return StateSummary(
         generated_at=datetime.now(tz=timezone.utc),
         totals=totals,
@@ -184,6 +213,8 @@ async def get_summary(session: AsyncSession = Depends(get_session)) -> StateSumm
         recent_progress=[ProgressEventRead.model_validate(e) for e in recent],
         next_steps=next_steps,
         domains=domain_summaries,
+        contribution_counts=contribution_counts,
+        licence_risk_count=licence_risk_count,
         open_workstreams=[
             WorkstreamWithDeps(
                 **WorkstreamRead.model_validate(w).model_dump(),