feat: reshape fossa-sbom.json to 5-key attribution top-level

Replaces the 2-key {project, dependencies} shape with the real FOSSA
attribution shape: copyrightsByLicense, deepDependencies,
directDependencies, licenses, project.

The SBOM project field is now the 2-key {name, revision} subset rather
than the 6-key analyze project shape. _partition_dependencies is a stub
returning ([], []) until Tasks 7-9 fill in per-dependency entries.

Author: flowstate

socketsecurity/fossa_compat.py

@@ -362,26 +362,28 @@ def build_fossa_report_payload(diff_report: Diff, config: CliConfig) -> dict[str
     }
 
 
-def build_fossa_attribution_payload(diff_report: Diff, config: CliConfig) -> dict[str, Any]:
-    project = _build_project_metadata(diff_report, config)
-    packages = getattr(diff_report, "packages", {}) or {}
-    package_entries = []
-
-    for package in packages.values():
-        package_entries.append({
-            "id": package.id,
-            "name": package.name,
-            "version": package.version,
-            "ecosystem": _ecosystem_to_package_manager(package.type),
-            "direct": bool(getattr(package, "direct", False)),
-            "url": package.url,
-            "purl": package.purl,
-            "declaredLicense": package.license,
-            "licenseDetails": package.licenseDetails or [],
-            "licenseAttrib": package.licenseAttrib or [],
-        })
+def _build_attribution_project(diff_report: Diff, config: CliConfig) -> dict[str, Any]:
+    repo = getattr(config, "repo", None) or "socket-default-repo"
+    revision = (
+        getattr(diff_report, "id", None)
+        or getattr(diff_report, "new_scan_id", None)
+        or "unknown-revision"
+    )
+    return {"name": repo, "revision": revision}
+
 
+def _partition_dependencies(packages: list[Package]) -> tuple[list[dict[str, Any]], list[dict[str, Any]]]:
+    """Stub: filled in by Tasks 7-9. Returns (direct, deep) lists of Dependency dicts."""
+    return ([], [])
+
+
+def build_fossa_attribution_payload(diff_report: Diff, config: CliConfig) -> dict[str, Any]:
+    packages = list((getattr(diff_report, "packages", {}) or {}).values())
+    direct, deep = _partition_dependencies(packages)
     return {
-        "project": project,
-        "dependencies": package_entries,
+        "copyrightsByLicense": {},
+        "deepDependencies": deep,
+        "directDependencies": direct,
+        "licenses": {},
+        "project": _build_attribution_project(diff_report, config),
     }

tests/unit/test_fossa_compat.py

@@ -278,6 +278,36 @@ def test_vulnerability_gap_fields_emit_known_defaults():
     assert proj_entry["firstFoundAt"] is None
 
 
+def test_attribution_payload_top_level_is_5_keys():
+    """fossa-sbom.json has exactly the 5 keys from `fossa report --json attribution`."""
+    config = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa"])
+    payload = build_fossa_attribution_payload(Diff(), config)
+    assert set(payload.keys()) == {
+        "copyrightsByLicense",
+        "deepDependencies",
+        "directDependencies",
+        "licenses",
+        "project",
+    }
+
+
+def test_attribution_project_has_only_name_and_revision():
+    """SBOM `project` is the 2-key subset, not the 6-key analyze project."""
+    config = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa", "--repo", "acme/widgets"])
+    diff = Diff(id="rev-x")
+    payload = build_fossa_attribution_payload(diff, config)
+    assert payload["project"] == {"name": "acme/widgets", "revision": "rev-x"}
+
+
+def test_attribution_empty_diff_yields_empty_collections():
+    config = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa"])
+    payload = build_fossa_attribution_payload(Diff(), config)
+    assert payload["copyrightsByLicense"] == {}
+    assert payload["licenses"] == {}
+    assert payload["directDependencies"] == []
+    assert payload["deepDependencies"] == []
+
+
 def test_vulnerability_version_ranges_sourced_from_socket_fields():
     """affectedVersionRanges/patchedVersionRanges come from Socket's singular fields, wrapped."""
     from socketsecurity.fossa_compat import _build_vulnerability_entry