Add tests and implement timeline ingestion options with NATS and Redis subscribers

- Introduced `BinaryReachabilityLifterTests` to validate binary lifting functionality.
- Created `PackRunWorkerOptions` for configuring worker paths and execution persistence.
- Added `TimelineIngestionOptions` for configuring NATS and Redis ingestion transports.
- Implemented `NatsTimelineEventSubscriber` for subscribing to NATS events.
- Developed `RedisTimelineEventSubscriber` for reading from Redis Streams.
- Added `TimelineEnvelopeParser` to normalize incoming event envelopes.
- Created unit tests for `TimelineEnvelopeParser` to ensure correct field mapping.
- Implemented `TimelineAuthorizationAuditSink` for logging authorization outcomes.

bench/reachability-benchmark/cases/c/guarded-system/outputs/attestation.json

@@ -0,0 +1,22 @@
+{
+  "_type": "https://in-toto.io/Statement/v0.1",
+  "predicate": {
+    "buildType": "stub",
+    "builder": {
+      "id": "stub"
+    },
+    "metadata": {
+      "buildFinishedOn": "1970-01-01T00:00:00Z",
+      "buildStartedOn": "1970-01-01T00:00:00Z"
+    }
+  },
+  "predicateType": "https://slsa.dev/provenance/v0.2",
+  "subject": [
+    {
+      "digest": {
+        "sha256": "stub"
+      },
+      "name": "c-guarded-system:001"
+    }
+  ]
+}

bench/reachability-benchmark/cases/c/guarded-system/outputs/coverage.json

@@ -0,0 +1,9 @@
+{
+  "files": [
+    {
+      "path": "src/main.c",
+      "functions": ["main", "run_guarded"],
+      "coverage": 1.0
+    }
+  ]
+}

bench/reachability-benchmark/cases/c/guarded-system/outputs/traces/traces.json

@@ -0,0 +1,6 @@
+{
+  "events": [
+    {"path": "src/main.c::main", "type": "entry"},
+    {"path": "src/main.c::run_guarded", "type": "call"}
+  ]
+}

bench/reachability-benchmark/cases/c/memcpy-overflow/outputs/attestation.json

@@ -0,0 +1,22 @@
+{
+  "_type": "https://in-toto.io/Statement/v0.1",
+  "predicate": {
+    "buildType": "stub",
+    "builder": {
+      "id": "stub"
+    },
+    "metadata": {
+      "buildFinishedOn": "1970-01-01T00:00:00Z",
+      "buildStartedOn": "1970-01-01T00:00:00Z"
+    }
+  },
+  "predicateType": "https://slsa.dev/provenance/v0.2",
+  "subject": [
+    {
+      "digest": {
+        "sha256": "stub"
+      },
+      "name": "c-memcpy-overflow:001"
+    }
+  ]
+}

bench/reachability-benchmark/cases/c/memcpy-overflow/outputs/coverage.json

@@ -0,0 +1,9 @@
+{
+  "files": [
+    {
+      "path": "src/main.c",
+      "functions": ["main", "process"],
+      "coverage": 1.0
+    }
+  ]
+}

bench/reachability-benchmark/cases/c/memcpy-overflow/outputs/traces/traces.json

@@ -0,0 +1,6 @@
+{
+  "events": [
+    {"path": "src/main.c::main", "type": "entry"},
+    {"path": "src/main.c::process", "type": "call"}
+  ]
+}

bench/reachability-benchmark/cases/c/unsafe-system/outputs/attestation.json

@@ -0,0 +1,22 @@
+{
+  "_type": "https://in-toto.io/Statement/v0.1",
+  "predicate": {
+    "buildType": "stub",
+    "builder": {
+      "id": "stub"
+    },
+    "metadata": {
+      "buildFinishedOn": "1970-01-01T00:00:00Z",
+      "buildStartedOn": "1970-01-01T00:00:00Z"
+    }
+  },
+  "predicateType": "https://slsa.dev/provenance/v0.2",
+  "subject": [
+    {
+      "digest": {
+        "sha256": "stub"
+      },
+      "name": "c-unsafe-system:001"
+    }
+  ]
+}

bench/reachability-benchmark/cases/c/unsafe-system/outputs/coverage.json

@@ -0,0 +1,9 @@
+{
+  "files": [
+    {
+      "path": "src/main.c",
+      "functions": ["main", "run_command"],
+      "coverage": 1.0
+    }
+  ]
+}

bench/reachability-benchmark/cases/c/unsafe-system/outputs/traces/traces.json

@@ -0,0 +1,6 @@
+{
+  "events": [
+    {"path": "src/main.c::main", "type": "entry"},
+    {"path": "src/main.c::run_command", "type": "call"}
+  ]
+}

bench/reachability-benchmark/cases/js/express-eval/outputs/attestation.json

@@ -0,0 +1,22 @@
+{
+  "_type": "https://in-toto.io/Statement/v0.1",
+  "predicate": {
+    "buildType": "stub",
+    "builder": {
+      "id": "stub"
+    },
+    "metadata": {
+      "buildFinishedOn": "1970-01-01T00:00:00Z",
+      "buildStartedOn": "1970-01-01T00:00:00Z"
+    }
+  },
+  "predicateType": "https://slsa.dev/provenance/v0.2",
+  "subject": [
+    {
+      "digest": {
+        "sha256": "stub"
+      },
+      "name": "js-express-eval:003"
+    }
+  ]
+}

bench/reachability-benchmark/cases/js/express-eval/outputs/sbom.cdx.json

@@ -0,0 +1,14 @@
+{
+  "bomFormat": "CycloneDX",
+  "components": [],
+  "metadata": {
+    "component": {
+      "name": "express-eval",
+      "type": "application",
+      "version": "1.0.0"
+    },
+    "timestamp": "1970-01-01T00:00:00Z"
+  },
+  "specVersion": "1.5",
+  "version": 1
+}

bench/reachability-benchmark/cases/js/express-guarded/outputs/attestation.json

@@ -0,0 +1,22 @@
+{
+  "_type": "https://in-toto.io/Statement/v0.1",
+  "predicate": {
+    "buildType": "stub",
+    "builder": {
+      "id": "stub"
+    },
+    "metadata": {
+      "buildFinishedOn": "1970-01-01T00:00:00Z",
+      "buildStartedOn": "1970-01-01T00:00:00Z"
+    }
+  },
+  "predicateType": "https://slsa.dev/provenance/v0.2",
+  "subject": [
+    {
+      "digest": {
+        "sha256": "stub"
+      },
+      "name": "js-express-guarded:004"
+    }
+  ]
+}

bench/reachability-benchmark/cases/js/express-guarded/outputs/sbom.cdx.json

@@ -0,0 +1,14 @@
+{
+  "bomFormat": "CycloneDX",
+  "components": [],
+  "metadata": {
+    "component": {
+      "name": "express-guarded",
+      "type": "application",
+      "version": "1.0.0"
+    },
+    "timestamp": "1970-01-01T00:00:00Z"
+  },
+  "specVersion": "1.5",
+  "version": 1
+}

bench/reachability-benchmark/cases/js/fastify-template/outputs/attestation.json

@@ -0,0 +1,22 @@
+{
+  "_type": "https://in-toto.io/Statement/v0.1",
+  "predicate": {
+    "buildType": "stub",
+    "builder": {
+      "id": "stub"
+    },
+    "metadata": {
+      "buildFinishedOn": "1970-01-01T00:00:00Z",
+      "buildStartedOn": "1970-01-01T00:00:00Z"
+    }
+  },
+  "predicateType": "https://slsa.dev/provenance/v0.2",
+  "subject": [
+    {
+      "digest": {
+        "sha256": "stub"
+      },
+      "name": "js-fastify-template:005"
+    }
+  ]
+}

bench/reachability-benchmark/cases/js/fastify-template/outputs/sbom.cdx.json

@@ -0,0 +1,14 @@
+{
+  "bomFormat": "CycloneDX",
+  "components": [],
+  "metadata": {
+    "component": {
+      "name": "fastify-template",
+      "type": "application",
+      "version": "1.0.0"
+    },
+    "timestamp": "1970-01-01T00:00:00Z"
+  },
+  "specVersion": "1.5",
+  "version": 1
+}

bench/reachability-benchmark/cases/js/guarded-eval/outputs/attestation.json

@@ -0,0 +1,22 @@
+{
+  "_type": "https://in-toto.io/Statement/v0.1",
+  "predicate": {
+    "buildType": "stub",
+    "builder": {
+      "id": "stub"
+    },
+    "metadata": {
+      "buildFinishedOn": "1970-01-01T00:00:00Z",
+      "buildStartedOn": "1970-01-01T00:00:00Z"
+    }
+  },
+  "predicateType": "https://slsa.dev/provenance/v0.2",
+  "subject": [
+    {
+      "digest": {
+        "sha256": "stub"
+      },
+      "name": "js-guarded-eval:002"
+    }
+  ]
+}

bench/reachability-benchmark/cases/js/guarded-eval/outputs/sbom.cdx.json

@@ -0,0 +1,14 @@
+{
+  "bomFormat": "CycloneDX",
+  "components": [],
+  "metadata": {
+    "component": {
+      "name": "guarded-eval",
+      "type": "application",
+      "version": "1.0.0"
+    },
+    "timestamp": "1970-01-01T00:00:00Z"
+  },
+  "specVersion": "1.5",
+  "version": 1
+}

bench/reachability-benchmark/cases/js/unsafe-eval/outputs/attestation.json

@@ -0,0 +1,22 @@
+{
+  "_type": "https://in-toto.io/Statement/v0.1",
+  "predicate": {
+    "buildType": "stub",
+    "builder": {
+      "id": "stub"
+    },
+    "metadata": {
+      "buildFinishedOn": "1970-01-01T00:00:00Z",
+      "buildStartedOn": "1970-01-01T00:00:00Z"
+    }
+  },
+  "predicateType": "https://slsa.dev/provenance/v0.2",
+  "subject": [
+    {
+      "digest": {
+        "sha256": "stub"
+      },
+      "name": "js-unsafe-eval:001"
+    }
+  ]
+}

bench/reachability-benchmark/cases/js/unsafe-eval/outputs/sbom.cdx.json

@@ -0,0 +1,14 @@
+{
+  "bomFormat": "CycloneDX",
+  "components": [],
+  "metadata": {
+    "component": {
+      "name": "unsafe-eval",
+      "type": "application",
+      "version": "1.0.0"
+    },
+    "timestamp": "1970-01-01T00:00:00Z"
+  },
+  "specVersion": "1.5",
+  "version": 1
+}

bench/reachability-benchmark/cases/py/django-ssti/outputs/attestation.json

@@ -0,0 +1,22 @@
+{
+  "_type": "https://in-toto.io/Statement/v0.1",
+  "predicate": {
+    "buildType": "stub",
+    "builder": {
+      "id": "stub"
+    },
+    "metadata": {
+      "buildFinishedOn": "1970-01-01T00:00:00Z",
+      "buildStartedOn": "1970-01-01T00:00:00Z"
+    }
+  },
+  "predicateType": "https://slsa.dev/provenance/v0.2",
+  "subject": [
+    {
+      "digest": {
+        "sha256": "stub"
+      },
+      "name": "py-django-ssti:105"
+    }
+  ]
+}

bench/reachability-benchmark/cases/py/django-ssti/outputs/sbom.cdx.json

@@ -0,0 +1,14 @@
+{
+  "bomFormat": "CycloneDX",
+  "components": [],
+  "metadata": {
+    "component": {
+      "name": "django-ssti",
+      "type": "application",
+      "version": "1.0.0"
+    },
+    "timestamp": "1970-01-01T00:00:00Z"
+  },
+  "specVersion": "1.5",
+  "version": 1
+}