SBOM generation in CI for backend artifacts

[greatest0fallt1me]

Description

• Attach CycloneDX or SPDX on releases.

Requirements and context

• Must be secure, tested, and documented for production operation.
• Should be efficient, observable, and easy to review in PRs.
• Scope is Predictify backend / off-chain services only (no Soroban contract changes, no frontend UI in this issue).

Suggested execution

• Fork the repository and create a branch:
  • git checkout -b feature/sbom-ci
• Implement changes:
  1. Service / module: implement in .github/workflows/sbom.yml and related packages as needed.
  2. Tests: add or extend CI validation only (unit + integration where applicable).
  3. Documentation: update or add docs/backend/SUPPLY_CHAIN.md (architecture notes, OpenAPI, or runbooks).
  4. Comments & types: document public APIs, config knobs, and failure modes clearly.

Primary touchpoints: .github/workflows/sbom.yml

Test and commit

• Run the project test command (e.g. pytest, cargo test, or npm test — follow repo conventions).
• Cover edge cases listed in the description; add regression tests for any bug found.
• In the PR, include summarized test output and security / ops notes (authn/z, data handling, rate limits).

Example commit message

ci(security): generate backend sbom

Guidelines

• Target ≥ 95% coverage on new or materially changed modules (per language/tooling configured in CI).
• Documentation must allow a new engineer to operate and verify the feature locally.
• Timeframe: 96 hours from assignment.