Refactor code structure for improved readability and maintainability; optimize performance in key functions.

docs/modules/sbomservice/retention-policy.md

@@ -0,0 +1,18 @@
+# SBOM ledger retention policy
+
+## Purpose
+Retention keeps ledger history bounded while preserving audit trails for compliance.
+
+## Configuration
+Settings are bound from `SbomService:Ledger` (env prefix `SBOM_SbomService__Ledger__`):
+- `MaxVersionsPerArtifact`: max ledger versions retained per artifact (default 50).
+- `MaxAgeDays`: prune versions older than N days (0 disables age pruning).
+- `MinVersionsToKeep`: minimum versions always retained per artifact.
+
+## Operations
+- `POST /internal/sbom/retention/prune` applies retention rules and returns a summary.
+- `GET /internal/sbom/ledger/audit?artifact=<ref>` returns audit entries for create/prune actions.
+
+## Guarantees
+- Audit entries are append-only and preserved even when versions are pruned.
+- Deterministic ordering is used when selecting versions to prune.