feat: Implement Filesystem and MongoDB provenance writers for PackRun execution context

- Added `FilesystemPackRunProvenanceWriter` to write provenance manifests to the filesystem.
- Introduced `MongoPackRunArtifactReader` to read artifacts from MongoDB.
- Created `MongoPackRunProvenanceWriter` to store provenance manifests in MongoDB.
- Developed unit tests for filesystem and MongoDB provenance writers.
- Established `ITimelineEventStore` and `ITimelineIngestionService` interfaces for timeline event handling.
- Implemented `TimelineIngestionService` to validate and persist timeline events with hashing.
- Created PostgreSQL schema and migration scripts for timeline indexing.
- Added dependency injection support for timeline indexer services.
- Developed tests for timeline ingestion and schema validation.

bench/reachability-benchmark/cases/java/spring-deserialize/case.yaml

@@ -0,0 +1,38 @@
+id: "java-spring-deserialize:201"
+language: java
+project: spring-deserialize
+version: "1.0.0"
+description: "Java deserialization sink reachable via POST /api/upload"
+entrypoints:
+  - "POST /api/upload"
+sinks:
+  - id: "JavaDeserialize::handleRequest"
+    path: "bench.reachability.App.handleRequest"
+    kind: "custom"
+    location:
+      file: src/App.java
+      line: 9
+    notes: "java.io.ObjectInputStream on user-controlled payload"
+environment:
+  os_image: "eclipse-temurin:21-jdk"
+  runtime:
+    java: "21"
+  source_date_epoch: 1730000000
+build:
+  command: "./build/build.sh"
+  source_date_epoch: 1730000000
+  outputs:
+    artifact_path: outputs/binary.tar.gz
+    sbom_path: outputs/sbom.cdx.json
+    coverage_path: outputs/coverage.json
+    traces_dir: outputs/traces
+test:
+  command: "./build/build.sh"
+  expected_coverage: []
+  expected_traces: []
+  env:
+    JAVA_TOOL_OPTIONS: "-ea"
+ground_truth:
+  summary: "Deserialization reachable"
+  evidence_files:
+    - "../benchmark/truth/java-spring-deserialize.json"

bench/reachability-benchmark/cases/java/spring-deserialize/entrypoints.yaml

@@ -0,0 +1,8 @@
+case_id: "java-spring-deserialize:201"
+entries:
+  http:
+    - id: "POST /api/upload"
+      route: "/api/upload"
+      method: "POST"
+      handler: "App.handleRequest"
+      description: "Binary payload base64-deserialized"

bench/reachability-benchmark/cases/java/spring-deserialize/pom.xml

@@ -0,0 +1,12 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+  <groupId>org.stellaops.bench</groupId>
+  <artifactId>spring-deserialize</artifactId>
+  <version>1.0.0</version>
+  <packaging>jar</packaging>
+  <properties>
+    <maven.compiler.source>17</maven.compiler.source>
+    <maven.compiler.target>17</maven.compiler.target>
+  </properties>
+</project>

bench/reachability-benchmark/cases/java/spring-deserialize/src/App.java

@@ -0,0 +1,26 @@
+package bench.reachability;
+
+import java.util.Map;
+import java.util.Base64;
+import java.io.*;
+
+public class App {
+    // Unsafe Java deserialization sink (reachable)
+    public static Response handleRequest(Map<String, String> body) {
+        String payload = body.get("payload");
+        if (payload == null) {
+            return new Response(400, "bad request");
+        }
+        try {
+            byte[] data = Base64.getDecoder().decode(payload);
+            ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(data));
+            Object obj = ois.readObject();
+            ois.close();
+            return new Response(200, obj.toString());
+        } catch (Exception ex) {
+            return new Response(500, ex.getClass().getSimpleName());
+        }
+    }
+
+    public record Response(int status, String body) {}
+}

bench/reachability-benchmark/cases/java/spring-deserialize/src/AppTest.java

@@ -0,0 +1,30 @@
+package bench.reachability;
+
+import java.io.*;
+import java.util.*;
+import java.util.Base64;
+
+// Simple hand-rolled test harness (no external deps) using Java assertions.
+public class AppTest {
+    private static String serialize(Object obj) throws IOException {
+        ByteArrayOutputStream bos = new ByteArrayOutputStream();
+        ObjectOutputStream oos = new ObjectOutputStream(bos);
+        oos.writeObject(obj);
+        oos.close();
+        return Base64.getEncoder().encodeToString(bos.toByteArray());
+    }
+
+    public static void main(String[] args) throws Exception {
+        String payload = serialize("hello");
+        Map<String, String> body = Map.of("payload", payload);
+        var res = App.handleRequest(body);
+        assert res.status() == 200 : "status";
+        assert res.body().equals("hello") : "body";
+        // Emit a simple marker file for trace/coverage stand-ins
+        File outDir = new File("outputs");
+        outDir.mkdirs();
+        try (FileWriter fw = new FileWriter(new File(outDir, "SINK_REACHED"))) {
+            fw.write("true");
+        }
+    }
+}