feat: add CycloneDX SBOM generation and publishing support

feat: add CycloneDX Gradle plugin for standards-based SBOM generation
feat: generate SBOM artifacts in JSON and XML formats
feat: publish SBOM artifacts in CI and expose them through project reports
fix: align CycloneDX task configuration with current plugin task model
fix: remove deprecated String-based projectType assignment for Gradle 10 compatibility
chore: keep SBOM scope focused on production classpaths only

build.gradle

@@ -7,6 +7,7 @@ plugins {
     id 'info.solidsoft.pitest' version '1.19.0'
     id 'me.champeau.jmh' version '0.7.2'
     id 'org.owasp.dependencycheck' version '12.2.1'
+    id 'org.cyclonedx.bom' version '3.2.4'
     id 'com.palantir.git-version' version '4.0.0'
 }
 
@@ -14,6 +15,7 @@ group = 'org.egothor.stemmer'
 version = gitVersion(prefix:'release@')
 
 def benchmarkReportsDirectory = layout.buildDirectory.dir('reports/jmh')
+def sbomReportsDirectory = layout.buildDirectory.dir('reports/sbom')
 
 def nvdApiKey = providers.gradleProperty('nvdApiKey')
         .orElse(providers.environmentVariable('NVD_API_KEY'))
@@ -124,6 +126,25 @@ tasks.named('check') {
     // no-default, only on-demand: dependsOn(tasks.named('dependencyCheckAnalyze'))
 }
 
+allprojects {
+    tasks.matching { it.name == 'cyclonedxDirectBom' }.configureEach {
+        includeConfigs = ['runtimeClasspath', 'compileClasspath']
+        skipConfigs = ['testRuntimeClasspath', 'testCompileClasspath', 'jmh.*', 'mockitoAgent']
+        includeBomSerialNumber = true
+        includeLicenseText = false
+        includeMetadataResolution = true
+        includeBuildSystem = true
+    }
+}
+
+tasks.named('cyclonedxBom') {
+    includeBomSerialNumber = true
+    includeLicenseText = false
+    includeBuildSystem = true
+    jsonOutput.set(sbomReportsDirectory.map { it.file('radixor-sbom.json') })
+    xmlOutput.set(sbomReportsDirectory.map { it.file('radixor-sbom.xml') })
+}
+
 pitest {
     pitestVersion = '1.22.1'
     junit5PluginVersion = '1.2.3'