feat(gems): three-pass schema migration aligning state-hub with GEMS

Implements CUST-WP-0007. Resolves inconsistencies I-1, I-2, I-5, I-6
identified in the GEMS audit (GenericEntityModellingSystem.md).

Pass 1 (e1f2a3b4c5d6): domain_id FK on extension_points and
technical_debt (replaces raw string column); repo_id FK on contributions.
Fixes domain-filtering bugs in EP/TD dashboard pages.

Pass 2 (f2a3b4c5d6e7): repo_id nullable FK on workstreams, aligning
the GEMS primary attachment with ADR-001 (repo > topic). Dashboard
pages updated to prefer repo->domain over topic->domain.

Pass 3 (a3b4c5d6e7f8): SBOMSnapshot container entity (GEMS Complex
between Repository and SBOMEntry). Ingest is now additive — each call
creates a new snapshot; history is retained. List/report endpoints
filter to latest snapshot per repo via _latest_snapshot_ids_subquery().
New endpoints: GET /sbom/snapshots/, GET /sbom/snapshots/{id}/.
Dashboard gains a Snapshot History section.

Also adds GEMS analysis artefacts: wiki/GEMS-StateHub-TypeRegistry.md,
wiki/GEMS-StateHub-SWOT.md, workplans/CUST-WP-0006 (analysis),
workplans/CUST-WP-0007 (migration, now completed).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

api/routers/technical_debt.py

@@ -12,10 +12,21 @@ from api.schemas.technical_debt import TDCreate, TDRead, TDUpdate
 router = APIRouter(prefix="/technical-debt", tags=["technical-debt"])
 
 
-async def _get_valid_domain_slugs(session: AsyncSession) -> set[str]:
-    """Return the set of active domain slugs from the DB."""
-    rows = await session.execute(select(Domain.slug).where(Domain.status == "active"))
-    return {r[0] for r in rows.all()}
+async def _resolve_domain_id(slug: str, session: AsyncSession) -> uuid.UUID:
+    """Resolve a domain slug to its UUID, raising 422 if unknown."""
+    row = await session.execute(
+        select(Domain.id).where(Domain.slug == slug, Domain.status == "active")
+    )
+    domain_id = row.scalar_one_or_none()
+    if domain_id is None:
+        valid = [r[0] for r in (await session.execute(
+            select(Domain.slug).where(Domain.status == "active")
+        )).all()]
+        raise HTTPException(
+            status_code=422,
+            detail=f"Unknown domain '{slug}'. Valid domains: {sorted(valid)}",
+        )
+    return domain_id
 
 
 @router.get("/", response_model=list[TDRead])
@@ -28,7 +39,8 @@ async def list_td(
 ) -> list[TechnicalDebt]:
     q = select(TechnicalDebt)
     if domain:
-        q = q.where(TechnicalDebt.domain == domain)
+        domain_id = await _resolve_domain_id(domain, session)
+        q = q.where(TechnicalDebt.domain_id == domain_id)
     if status:
         q = q.where(TechnicalDebt.status == status)
     if debt_type:
@@ -45,13 +57,10 @@ async def create_td(
     body: TDCreate,
     session: AsyncSession = Depends(get_session),
 ) -> TechnicalDebt:
-    valid_domains = await _get_valid_domain_slugs(session)
-    if body.domain not in valid_domains:
-        raise HTTPException(
-            status_code=422,
-            detail=f"Unknown domain '{body.domain}'. Valid domains: {sorted(valid_domains)}",
-        )
-    td = TechnicalDebt(**body.model_dump())
+    domain_id = await _resolve_domain_id(body.domain, session)
+    data = body.model_dump(exclude={"domain"})
+    data["domain_id"] = domain_id
+    td = TechnicalDebt(**data)
     session.add(td)
     await session.commit()
     await session.refresh(td)