feat: add --summary CLI flag to output high-level SBOM metrics

[corepacket]

Description

Fixes #27
This PR introduces a new --summary CLI flag to the sbomit generate command to act as an immediate, lightweight observability dashboard. Instead of having to inspect massive raw JSON SBOM outputs, users can now pass this flag to see a high-level aggregation of their attestation-enriched dependencies directly in their terminal.

What's Changed

• CLI Flag: Hooked up a --summary boolean flag in cmd/generate.go.
• Summary Package: Created the pkg/generator/summary.go logic to iterate through the generated sbom.Document nodes.
• PURL Extraction: Added safe parsing mechanisms to grab the ecosystem string prefix directly from the node's PURL (e.g., extracting pypi from pkg:pypi/...).
• Deterministic Output: The summary output is explicitly alphabetized on the ecosystem keys to guarantee clean, deterministic outputs.
• Unit Testing: Added rigorous testing coverage to pkg/generator/summary_test.go ensuring precise ecosystem identification and total package counts.

Example Output

Running: ./sbomit generate sample-attestation.json --summary

SBOM Summary
------------
Total Packages: 90

Ecosystem Breakdown:
  cargo: 38
  pypi: 51
  unknown: 1

[absol27]

LGTM, but some minor nits:

1. I think the current report can be default behavior
2. the --summary flag for a more detailed record, showing list of packages
3. then a flag to suppress std out (but maybe that's for later)
4. We ideally shouldn't have "unknown" packages, if they are files then report them as files. If they are truly unknown, as in we dont handle them rn, let us know so we can build the parsers for them

[corepacket]

@absol27 Thanks for the feedback — just confirming the updated plan:

1. Make the current summary output the default behavior of generate
2. Repurpose --summary to show a more detailed breakdown (package list per ecosystem)
3. Replace "unknown" with more meaningful classification (e.g., "file" or surface unclassified cases)

I’ll proceed with this unless you’d like anything adjusted.

[absol27]

Looks great, that's the summary of the plan!

[corepacket]

Hello @absol27, could you please take a look? I’ve updated the PR.

[absol27]

Sorry @corepacket missed the notification.

I think the current report can be default behavior
the --summary flag for a more detailed record, showing list of packages
then a flag to suppress std out (but maybe that's for later)

The summary report with the --summary flag LGTM. I think some of these haven't been addressed. When the summary flag isn't used, we still want a brief report[count of packages and files instead of names]. Details when --summary flag is used, and maybe a --silent or --quiet flag to suppress any stdout.

Also can you please rebase onto the latest main and make sure those changes are preserved.