blocker move 1

docs/modules/sbomservice/api/projection-read.md

@@ -0,0 +1,29 @@
+# SBOM Projection Read API (LNM v1)
+
+- **Endpoint:** `GET /sboms/{snapshotId}/projection?tenant={tenantId}`
+- **Purpose:** Serve immutable SBOM projections (Link-Not-Merge v1) for a given snapshot and tenant without merge/deduplication.
+- **Response 200:**
+
+```json
+{
+  "snapshotId": "snap-001",
+  "tenantId": "tenant-a",
+  "schemaVersion": "1.0.0",
+  "hash": "<sha256 of projection payload>",
+  "projection": { /* LNM v1 projection payload */ }
+}
+```
+
+- **Errors:**
+  - 400 when `snapshotId` or `tenant` is missing or blank.
+  - 404 when no projection exists for the given snapshot/tenant.
+
+- **Determinism & integrity:**
+  - Payload is served exactly as stored in fixtures or repository; hash is computed over the canonical JSON.
+  - No mutation/merge logic applied.
+
+- **Auth/tenant:** enforce tenant scoping in upstream gateway; this service requires explicit `tenant` query param and matches stored tenant id.
+
+- **Fixtures:** `docs/modules/sbomservice/fixtures/lnm-v1/projections.json` (hashes in `SHA256SUMS`).
+
+- **Metrics:** TBD in observability doc; to be added when backed by persistent store.