chore: fix sbom

docs/BUILD.md

@@ -367,7 +367,7 @@ cargo test -- --test-threads=4
 
 ## Compliance & SBOM Generation
 
-Generate Software Bill of Materials (SBOM) for supply chain transparency.
+Generate Software Bill of Materials (SBOM) for supply chain transparency using [`cargo-sbom`](https://crates.io/crates/cargo-sbom).
 
 ### Regenerate SBOMs
 
@@ -378,9 +378,8 @@ just distro::generate-sbom
 ```
 
 This regenerates:
-- **LICENSE.md** - Dependency attribution and licenses
-- **SBOM.spdx.json** - SPDX 2.3 standard format
-- **SBOM.cyclonedx.json** - CycloneDX 1.4 format
+- **SBOM.spdx.json** - SPDX 2.3 standard format (ISO/IEC 5962:2021)
+- **SBOM.cyclonedx.json** - CycloneDX 1.4 format (ECMA standard)
 
 ### Audit Dependencies
 
@@ -406,20 +405,17 @@ just ci::full
 
 ### SBOM Files
 
-**LICENSE.md** (7.4 KB)
-- Lists all dependencies with their licenses
-- Organized by license type
-- Compliance summary
-
-**SBOM.spdx.json** (139 KB)
+**SBOM.spdx.json** (~350-400 KB)
 - SPDX 2.3 format (ISO/IEC 5962:2021)
-- 287 components with unique identifiers
-- Compatible with SPDX validators and GitHub Dependabot
+- Complete component inventory with unique identifiers
+- Compatible with SPDX validators, GitHub Dependabot, and osv-scanner
+- Generated by [cargo-sbom](https://crates.io/crates/cargo-sbom)
 
-**SBOM.cyclonedx.json** (90 KB)
-- CycloneDX 1.4 format (modern standard)
-- 286 components with package URLs
-- Compatible with vulnerability scanners and SCA tools
+**SBOM.cyclonedx.json** (~280-320 KB)
+- CycloneDX 1.4 format (ECMA standard)
+- Complete component inventory with Package URLs (pURL)
+- Compatible with vulnerability scanners and SCA tools (Dependabot, Snyk)
+- Generated by [cargo-sbom](https://crates.io/crates/cargo-sbom)
 
 ### Supply Chain Security