Add tests and implement timeline ingestion options with NATS and Redis subscribers

- Introduced `BinaryReachabilityLifterTests` to validate binary lifting functionality.
- Created `PackRunWorkerOptions` for configuring worker paths and execution persistence.
- Added `TimelineIngestionOptions` for configuring NATS and Redis ingestion transports.
- Implemented `NatsTimelineEventSubscriber` for subscribing to NATS events.
- Developed `RedisTimelineEventSubscriber` for reading from Redis Streams.
- Added `TimelineEnvelopeParser` to normalize incoming event envelopes.
- Created unit tests for `TimelineEnvelopeParser` to ensure correct field mapping.
- Implemented `TimelineAuthorizationAuditSink` for logging authorization outcomes.

docs/modules/scanner/fixtures/cdx17-cbom/sample-cdx17-cbom.json

@@ -10,10 +10,26 @@
       "name": "demo-app",
       "version": "1.0.0",
       "purl": "pkg:demo/demo-app@1.0.0",
-      "hashes": [ { "alg": "SHA-256", "content": "d" } ],
-      "evidence": { "properties": [ { "name": "evidence:source", "value": "fixture" } ] }
+      "hashes": [
+        { "alg": "SHA-256", "content": "1111111111111111111111111111111111111111111111111111111111111111" }
+      ],
+      "evidence": {
+        "properties": [
+          { "name": "evidence:source", "value": "fixture" },
+          { "name": "evidence:hash", "value": "blake3:fixture-demo-app" }
+        ]
+      }
     },
-    "tools": [ { "vendor": "stellaops", "name": "scanner", "version": "0.0.0-fixture" } ]
+    "properties": [
+      { "name": "source.repo", "value": "https://example.invalid/demo" },
+      { "name": "source.ref", "value": "refs/tags/v1.0.0" },
+      { "name": "build.id", "value": "build-123" },
+      { "name": "build.invocation.hash", "value": "blake3:deadbeef" },
+      { "name": "provenance.dsse", "value": "sha256:2222222222222222222222222222222222222222222222222222222222222222" }
+    ],
+    "tools": [
+      { "vendor": "stellaops", "name": "scanner", "version": "0.0.0-fixture" }
+    ]
   },
   "services": [
     {
@@ -25,16 +41,43 @@
     }
   ],
   "components": [
-    { "type": "library", "name": "lib-a", "version": "1.2.3", "purl": "pkg:demo/lib-a@1.2.3" },
-    { "type": "library", "name": "lib-b", "version": "2.0.0", "purl": "pkg:demo/lib-b@2.0.0" }
+    {
+      "type": "library",
+      "name": "lib-a",
+      "version": "1.2.3",
+      "purl": "pkg:demo/lib-a@1.2.3",
+      "hashes": [ { "alg": "SHA-256", "content": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" } ]
+    },
+    {
+      "type": "library",
+      "name": "lib-b",
+      "version": "2.0.0",
+      "purl": "pkg:demo/lib-b@2.0.0",
+      "hashes": [ { "alg": "SHA-256", "content": "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb" } ]
+    }
   ],
   "vulnerabilities": [
     {
       "id": "CVE-0000-0001",
       "source": { "name": "NVD" },
       "ratings": [
-        { "source": { "name": "NVD" }, "method": "CVSSv4", "score": 8.0, "vector": "CVSS:4.0/AV:N/AC:L" },
-        { "source": { "name": "NVD" }, "method": "CVSSv3.1", "score": 7.5, "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }
+        {
+          "source": { "name": "NVD" },
+          "method": "CVSSv4",
+          "score": 8.0,
+          "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"
+        },
+        {
+          "source": { "name": "NVD" },
+          "method": "CVSSv3.1",
+          "score": 7.5,
+          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+        }
+      ],
+      "properties": [
+        { "name": "evidence:source", "value": "fixture" },
+        { "name": "evidence:proof-id", "value": "proof-123" },
+        { "name": "evidence:hash", "value": "sha256:3333333333333333333333333333333333333333333333333333333333333333" }
       ]
     }
   ]