Add tests and implement timeline ingestion options with NATS and Redis subscribers

- Introduced `BinaryReachabilityLifterTests` to validate binary lifting functionality.
- Created `PackRunWorkerOptions` for configuring worker paths and execution persistence.
- Added `TimelineIngestionOptions` for configuring NATS and Redis ingestion transports.
- Implemented `NatsTimelineEventSubscriber` for subscribing to NATS events.
- Developed `RedisTimelineEventSubscriber` for reading from Redis Streams.
- Added `TimelineEnvelopeParser` to normalize incoming event envelopes.
- Created unit tests for `TimelineEnvelopeParser` to ensure correct field mapping.
- Implemented `TimelineAuthorizationAuditSink` for logging authorization outcomes.

docs/modules/scanner/deterministic-sbom-compose.md

@@ -1,6 +1,6 @@
-# Deterministic SBOM Composition (Spec Draft)
+# Deterministic SBOM Composition
 
-> **Status:** Draft v0.1 (Sprint 136 / 203 / 209 linkage)  
+> **Status:** Ready v1.0 (Sprint 136 linkage; fixtures dated 2025-12-03)  
 > **Owners:** Scanner Guild · DevEx/CLI Guild · UI Guild · Docs Guild · Security Guild  
 > **Related Tasks:** `SCANNER-SURFACE-04`, `SURFACE-FS-07`, `SCANNER-EMIT-15-001`, `SCANNER-SORT-02`, `CLI-SBOM-60-001`, `CLI-SBOM-60-002`, `UI-SBOM-DET-01`, `UI-POLICY-DET-01`, `DOCS-SCANNER-DET-01`, `DOCS-POLICY-DET-01`, `DOCS-CLI-DET-01`, `SCANNER-CRYPTO-90-002`, `SCANNER-CRYPTO-90-003`
 
@@ -46,6 +46,19 @@ Guarantee that every container scan yields **provably deterministic** SBOM artif
 3. Re-run composition locally (using canonical ordering) and compare `sha256(c14n(composed))` against `manifest.properties["stellaops:merkle.root"]`.
 4. Optionally validate provided Merkle proofs (leaf → root) and attest that the UI/Policy gate marked the scan as deterministic.
 
+### 3.1 Reference fixture (deterministic-compose)
+- Path: `docs/modules/scanner/fixtures/deterministic-compose/` (generated 2025-12-03 by `generate.py`).
+- Quick verify:
+  ```bash
+  cd docs/modules/scanner/fixtures/deterministic-compose
+  sha256sum -c hashes.txt
+  jq -r '.payload' fragment-layer1.dsse.json | base64 -d | sha256sum
+  jq -r '.merkleRootSha256' _composition.json
+  jq -r '.properties[] | select(.name=="stellaops:merkle.root").value' bom.cdx.json
+  ```
+  Expected Merkle root: `963e421d21be2db87895ea5fd973a0ad71aa638499c274308e013d2b6c8243f6` (matches `_composition.json` and `bom.cdx.json`).
+- Regenerate deterministically: `python generate.py && sha256sum -c hashes.txt` (standard library only).
+
 ## 4. Deliverables Checklist
 
 | Area | Deliverable |
@@ -57,7 +70,13 @@ Guarantee that every container scan yields **provably deterministic** SBOM artif
 | Docs | Updated scanner/cli/policy guides, offline kit instructions |
 | Tests | Regression suites covering canonicalization, DSSE verification, PQ keypaths, Merkle roots |
 
-## 5. References
+## 5. Operational workflow (worker → CLI/UI/Policy)
+- **Worker**: emit fragment DSSE + `_composition.json` into the surface manifest; persist `stellaops:composition.manifest` and `stellaops:merkle.root` properties on composed BOMs so downstream consumers do not recompute merges.
+- **CLI**: verify bundles offline with `stella sbomer compose --recipe docs/modules/scanner/fixtures/deterministic-compose/_composition.json --fragments-dir docs/modules/scanner/fixtures/deterministic-compose --verify` (see `docs/cli/sbomer.md`). The command should fail if any DSSE signature, Merkle root, or BOM hash diverges.
+- **UI / Policy**: render determinism badge using `stellaops:merkle.root`; block promotion when `_composition.json` is missing or hashes disagree; expose drift diagnostics by recomputing composition locally and comparing to BOM properties.
+- **Export/Offline**: include `_composition.json`, fragment DSSEs, `bom.cdx.json`, and `hashes.txt` when building Offline Kit bundles so replay jobs can validate without network.
+
+## 6. References
 
 - `docs/modules/scanner/architecture.md`
 - `docs/modules/scanner/design/surface-fs.md`