Add tests and implement timeline ingestion options with NATS and Redis subscribers

- Introduced `BinaryReachabilityLifterTests` to validate binary lifting functionality.
- Created `PackRunWorkerOptions` for configuring worker paths and execution persistence.
- Added `TimelineIngestionOptions` for configuring NATS and Redis ingestion transports.
- Implemented `NatsTimelineEventSubscriber` for subscribing to NATS events.
- Developed `RedisTimelineEventSubscriber` for reading from Redis Streams.
- Added `TimelineEnvelopeParser` to normalize incoming event envelopes.
- Created unit tests for `TimelineEnvelopeParser` to ensure correct field mapping.
- Implemented `TimelineAuthorizationAuditSink` for logging authorization outcomes.

docs/implplan/SPRINT_508_ops_offline_kit.md

@@ -1,26 +1,46 @@
-# Sprint 508 - Ops & Offline · 190.C) Ops Offline Kit
+# Sprint 508 · Ops Offline Kit (Ops & Offline 190.C)
 
-Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
+## Topic & Scope
+- Package offline kit with CLI/task packs, orchestrator/export/notifier bundles, container bundles, Surface.Secrets, and registry mirror assets.
+- Ensure manifests/signatures, tests, and docs reflect bundled artefacts.
+- **Working directory:** ops/offline-kit and related ops/devops offline-kit scripts.
 
-[Ops & Offline] 190.C) Ops Offline Kit
-Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli
-Summary: Ops & Offline focus on Ops Offline Kit).
-Task ID | State | Task description | Owners (Source)
---- | --- | --- | ---
-CLI-PACKS-43-002 | DONE (2025-11-26) | Bundle Task Pack samples, registry mirror seeds, Task Runner configs, and CLI binaries with checksums into Offline Kit. | Offline Kit Guild, Packs Registry Guild (ops/offline-kit)
-DEVOPS-OFFLINE-17-004 | DONE (2025-11-23) | Release debug store mirrored into Offline Kit (`out/offline-kit/metadata/debug-store.json`) via `mirror_debug_store.py`. | Offline Kit Guild, DevOps Guild (ops/offline-kit)
-DEVOPS-OFFLINE-34-006 | DONE (2025-11-26) | Bundle orchestrator service container, worker SDK samples, Postgres snapshot, and dashboards into Offline Kit with manifest/signature updates. Dependencies: DEVOPS-OFFLINE-17-004. | Offline Kit Guild, Orchestrator Service Guild (ops/offline-kit)
-DEVOPS-OFFLINE-37-001 | DONE (2025-11-26) | Export Center offline bundles + verification tooling (mirror artefacts, verification CLI, manifest/signature refresh, air-gap import script). Dependencies: DEVOPS-OFFLINE-34-006. | Offline Kit Guild, Exporter Service Guild (ops/offline-kit)
-DEVOPS-OFFLINE-37-002 | DONE (2025-11-26) | Notifier offline packs (sample configs, template/digest packs, dry-run harness) with integrity checks and operator docs. Dependencies: DEVOPS-OFFLINE-37-001. | Offline Kit Guild, Notifications Service Guild (ops/offline-kit)
-OFFLINE-CONTAINERS-46-001 | DONE (2025-11-26) | Include container air-gap bundle, verification docs, and mirrored registry instructions inside Offline Kit. | Offline Kit Guild, Deployment Guild (ops/offline-kit)
-OPS-SECRETS-02 | DONE (2025-11-26) | Add Surface.Secrets bundles (encrypted creds, manifests) to Offline Kit packaging plus verification script. Dependencies: OPS-SECRETS-02. | Offline Kit Guild, DevOps Guild (ops/offline-kit)
+## Dependencies & Concurrency
+- Depends on upstream service artefacts (Orchestrator, Export Center, Notifier, container bundles) and Surface.Secrets outputs.
+- Concurrency: packaging can proceed per artefact once source bundle available.
+
+## Documentation Prerequisites
+- docs/24_OFFLINE_KIT.md
+- docs/modules/devops/architecture.md
+- ops/offline-kit README/tests
+
+## Delivery Tracker
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+| --- | --- | --- | --- | --- | --- |
+| 1 | CLI-PACKS-43-002 | DONE (2025-11-26) | None | Offline Kit Guild · Packs Registry Guild | Bundle Task Pack samples, registry mirror seeds, Task Runner configs, CLI binaries with checksums. |
+| 2 | DEVOPS-OFFLINE-17-004 | DONE (2025-11-23) | None | Offline Kit Guild · DevOps Guild | Mirror release debug store into Offline Kit (`out/offline-kit/metadata/debug-store.json`). |
+| 3 | DEVOPS-OFFLINE-34-006 | DONE (2025-11-26) | Depends on 17-004 | Offline Kit Guild · Orchestrator Guild | Bundle orchestrator service container, worker SDK samples, Postgres snapshot, dashboards with manifest/signature updates. |
+| 4 | DEVOPS-OFFLINE-37-001 | DONE (2025-11-26) | Depends on 34-006 | Offline Kit Guild · Exporter Guild | Export Center offline bundles + verification tooling, manifest/signature refresh, air-gap import script. |
+| 5 | DEVOPS-OFFLINE-37-002 | DONE (2025-11-26) | Depends on 37-001 | Offline Kit Guild · Notifications Guild | Notifier offline packs with configs/templates/dry-run harness + integrity checks and docs. |
+| 6 | OFFLINE-CONTAINERS-46-001 | DONE (2025-11-26) | None | Offline Kit Guild · Deployment Guild | Include container air-gap bundle, verification docs, mirrored registry instructions inside Offline Kit. |
+| 7 | OPS-SECRETS-02 | DONE (2025-11-26) | Depends on Surface.Secrets assets | Offline Kit Guild · DevOps Guild | Add Surface.Secrets bundles (encrypted creds, manifests) to Offline Kit packaging plus verification script. |
 
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
-| 2025-11-26 | Wired Offline Kit packaging to include CLI binaries (release/cli), Task Runner bootstrap config, and task-pack docs; updated `test_build_offline_kit.py` to cover new artefacts. Marked CLI-PACKS-43-002 DONE. | Implementer |
-| 2025-11-26 | Added container bundle pickup (release/containers/images) and mirrored registry doc copy; updated offline kit test coverage; marked OFFLINE-CONTAINERS-46-001 DONE. | Implementer |
-| 2025-11-26 | Added orchestrator (service, worker SDK, postgres, dashboards), Export Center bundles, Notifier offline packs, and Surface.Secrets bundles to packaging; expanded offline kit unit test accordingly. Marked DEVOPS-OFFLINE-34-006/37-001/37-002 and OPS-SECRETS-02 DONE. | Implementer |
+| 2025-12-03 | Normalised sprint file to standard template; no status changes. | Planning |
+| 2025-11-26 | Wired Offline Kit packaging to include CLI binaries, Task Runner bootstrap config, and task-pack docs; updated `test_build_offline_kit.py`; marked CLI-PACKS-43-002 DONE. | Implementer |
+| 2025-11-26 | Added container bundle pickup (release/containers/images) and mirrored registry doc copy; offline kit test coverage updated; marked OFFLINE-CONTAINERS-46-001 DONE. | Implementer |
+| 2025-11-26 | Added orchestrator (service, worker SDK, postgres, dashboards), Export Center bundles, Notifier offline packs, and Surface.Secrets bundles; expanded offline kit unit test; marked DEVOPS-OFFLINE-34-006/37-001/37-002 and OPS-SECRETS-02 DONE. | Implementer |
 | 2025-11-26 | Added bundle composition counts to `<bundle>.metadata.json` (cli/task packs/containers/orchestrator/export/notifier/secrets) and documented in `docs/24_OFFLINE_KIT.md`; test updated. | Implementer |
-| 2025-11-26 | Updated Offline Kit doc (`docs/24_OFFLINE_KIT.md`) to describe newly bundled assets (CLI/task packs, orchestrator/export/notifier kits, container bundles, Surface.Secrets) and documented release-dir auto-pickup rules. | Implementer |
+| 2025-11-26 | Updated Offline Kit doc to describe newly bundled assets and release-dir auto-pickup rules. | Implementer |
 | 2025-11-23 | Release debug store mirrored into Offline Kit (`out/offline-kit/metadata/debug-store.json`) via `mirror_debug_store.py`. | Offline Kit Guild |
+
+## Decisions & Risks
+- Packaging assumes release artefacts present under `out/`/`release/`; ensure CI populates before running offline kit build.
+- Surface.Secrets bundles require consistent encryption keys and unpack paths across offline kit and deployment docs.
+- Keep `test_build_offline_kit.py` updated when new artefact types are added to avoid silent omissions.
+
+## Next Checkpoints
+- Validate latest service releases still picked up automatically by offline kit script before next drop.
+- Re-run offline kit tests when new artefact type is added (e.g., new service bundles) and refresh `docs/24_OFFLINE_KIT.md`.