# SBOM Projection Read API (LNM v1)

- **Endpoint:** `GET /sboms/{snapshotId}/projection?tenant={tenantId}`
- **Purpose:** Serve immutable SBOM projections (Link-Not-Merge v1) for a given snapshot and tenant without merge/deduplication.
- **Response 200:**

```json
{
  "snapshotId": "snap-001",
  "tenantId": "tenant-a",
  "schemaVersion": "1.0.0",
  "hash": "<sha256 of projection payload>",
  "projection": { /* LNM v1 projection payload */ }
}
```

- **Errors:**
  - 400 when `snapshotId` or `tenant` is missing or blank.
  - 404 when no projection exists for the given snapshot/tenant.

- **Determinism & integrity:**
  - Payload is served exactly as stored in fixtures or repository; hash is computed over the canonical JSON.
  - No mutation/merge logic applied.

- **Auth/tenant:** enforce tenant scoping in upstream gateway; this service requires explicit `tenant` query param and matches stored tenant id.

- **Fixtures:** `docs/modules/sbomservice/fixtures/lnm-v1/projections.json` (hashes in `SHA256SUMS`).

- **Metrics:** TBD in observability doc; to be added when backed by persistent store.