more audit work

src/Scanner/__Libraries/StellaOps.Scanner.Emit/Composition/CycloneDxComposer.cs

@@ -13,6 +13,7 @@ using JsonSerializer = CycloneDX.Json.Serializer;
 using ProtoSerializer = CycloneDX.Protobuf.Serializer;
 using StellaOps.Scanner.Core.Contracts;
 using StellaOps.Scanner.Core.Utility;
+using StellaOps.Scanner.Emit.Evidence;
 
 namespace StellaOps.Scanner.Emit.Composition;
 
@@ -319,6 +320,7 @@ public sealed class CycloneDxComposer
 
     private static List<Component> BuildComponents(ImmutableArray<AggregatedComponent> components)
     {
+        var evidenceMapper = new CycloneDxEvidenceMapper();
         var result = new List<Component>(components.Length);
         foreach (var component in components)
         {
@@ -332,6 +334,7 @@ public sealed class CycloneDxComposer
                 Type = MapClassification(component.Identity.ComponentType),
                 Scope = MapScope(component.Metadata?.Scope),
                 Properties = BuildProperties(component),
+                Evidence = evidenceMapper.Map(component),
             };
 
             result.Add(model);

src/Scanner/__Libraries/StellaOps.Scanner.Emit/Composition/LayerSbomRef.cs

@@ -55,6 +55,13 @@ public sealed record LayerSbomRef
     /// </summary>
     [JsonPropertyName("componentCount")]
     public required int ComponentCount { get; init; }
+
+    /// <summary>
+    /// Component PURLs in this layer.
+    /// Sprint: SPRINT_20260107_004_002 Task SG-010
+    /// </summary>
+    [JsonPropertyName("componentPurls")]
+    public IReadOnlyList<string>? ComponentPurls { get; init; }
 }
 
 /// <summary>