Add SBOMEnabled field to CWSFeatureConfig for "package in use" feature

[0intro]

What does this PR do?

Adds spec.features.cws.sbomEnabled to the DatadogAgent CRD, enabling the CWS SBOM resolver to track runtime package usage. When enabled, system-probe maps file accesses to packages and enriches SBOMs with LastSeenRunning timestamps. The env var DD_RUNTIME_SECURITY_CONFIG_SBOM_ENABLED is set on both system-probe and core agent containers.

Motivation

What inspired you to submit this pull request?

Additional Notes

Anything else we should know when reviewing?

Minimum Agent Versions

Are there minimum versions of the Datadog Agent and/or Cluster Agent required?

• Agent: v7.78.0

Describe your test plan

Write there any instructions and details you may have to test your PR.

Checklist

• PR has at least one valid label: bug, enhancement, refactoring, documentation, tooling, and/or dependencies
• PR has a milestone or the qa/skip-qa label
• All commits are signed (see: signing commits)

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 40.02%. Comparing base (d09fcb3) to head (affbfcd).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2904      +/-   ##
==========================================
- Coverage   40.05%   40.02%   -0.04%     
==========================================
  Files         319      319              
  Lines       28052    28469     +417     
==========================================
+ Hits        11237    11394     +157     
- Misses      15993    16251     +258     
- Partials      822      824       +2     

Flag	Coverage Δ
unittests	40.02% <100.00%> (-0.04%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
...nal/controller/datadogagent/feature/cws/feature.go	76.99% <100.00%> (+1.37%)	⬆️

... and 6 files with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update d09fcb3...affbfcd. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[datadog-datadog-prod-us1]

✅ Code Coverage

🎯 Code Coverage (details)
• Patch Coverage: 100.00%
• Overall Coverage: 40.05% (-0.06%)

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: affbfcd | Docs | Datadog PR Page | Was this helpful? React with 👍/👎 or give us feedback!}

[domalessi]

Editorial review — one minor suggestion on the field description.

[domalessi]

The description opens with "SBOMEnabled enables..." which repeats the field name in the verb. Most other CWS field descriptions drop the field name (for example, "Enables Cloud Workload Security.", "Enables Remote Configuration for Cloud Workload Security.").

Suggested change

	: SBOMEnabled enables the SBOM resolver to track runtime package usage. When enabled, system-probe maps file accesses to packages and enriches SBOMs with LastSeenRunning timestamps ("package in use" feature). Default: false
	: Enables the SBOM resolver to track runtime package usage. When enabled, system-probe maps file accesses to packages and enriches SBOMs with LastSeenRunning timestamps ("package in use" feature). Default: false

[domalessi]

Left one minor suggestion but otherwise lgtm!