proxy mirror --sbom path.json works from the CLI but POST /api/mirror only accepts {"purls": [...]} — JobRequest in internal/mirror/job.go has no SBOM field and sourceFromRequest rejects anything else.
Add an sbom field to JobRequest that takes the raw document inline:
{"sbom": {"bomFormat": "CycloneDX", "components": [...]}}
SBOMSource currently does os.ReadFile(s.Path) then passes []byte to the extract functions, so the change is splitting that into a Data []byte field and moving the file read up to the CLI caller. sourceFromRequest then returns &SBOMSource{Data: req.SBOM} when the field is set.
This lets CI jobs post their build's SBOM straight to the proxy to warm the cache without writing a temp file or shelling out.
proxy mirror --sbom path.jsonworks from the CLI butPOST /api/mirroronly accepts{"purls": [...]}—JobRequestininternal/mirror/job.gohas no SBOM field andsourceFromRequestrejects anything else.Add an
sbomfield toJobRequestthat takes the raw document inline:SBOMSourcecurrently doesos.ReadFile(s.Path)then passes[]byteto the extract functions, so the change is splitting that into aData []bytefield and moving the file read up to the CLI caller.sourceFromRequestthen returns&SBOMSource{Data: req.SBOM}when the field is set.This lets CI jobs post their build's SBOM straight to the proxy to warm the cache without writing a temp file or shelling out.