Add tests and implement timeline ingestion options with NATS and Redis subscribers

- Introduced `BinaryReachabilityLifterTests` to validate binary lifting functionality.
- Created `PackRunWorkerOptions` for configuring worker paths and execution persistence.
- Added `TimelineIngestionOptions` for configuring NATS and Redis ingestion transports.
- Implemented `NatsTimelineEventSubscriber` for subscribing to NATS events.
- Developed `RedisTimelineEventSubscriber` for reading from Redis Streams.
- Added `TimelineEnvelopeParser` to normalize incoming event envelopes.
- Created unit tests for `TimelineEnvelopeParser` to ensure correct field mapping.
- Implemented `TimelineAuthorizationAuditSink` for logging authorization outcomes.

scripts/mirror/README.md

@@ -5,5 +5,7 @@
 - `verify_thin_bundle.py`: checks SHA256 sidecars, manifest schema, tar determinism, required layers, optional bundle meta and DSSE signatures; accepts `--bundle-meta`, `--pubkey`, `--tenant`, `--environment`.
 - `ci-sign.sh`: CI wrapper. Set `MIRROR_SIGN_KEY_B64` (base64-encoded Ed25519 PEM) and run; it builds, signs, and verifies in one step, emitting `milestone.json` with manifest/tar/bundle hashes.
 - `verify_oci_layout.py`: validates OCI layout/index/manifest and blob digests when `OCI=1` is used.
+- `mirror-create.sh`: convenience wrapper to build + verify thin bundles (optional SIGN_KEY, time anchor, OCI flag).
+- `mirror-verify.sh`: wrapper around `verify_thin_bundle.py` for quick hash/DSSE checks.
 
 Artifacts live under `out/mirror/thin/`.

scripts/mirror/mirror-create.sh

@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Deterministic wrapper for building mirror-thin-v1 bundles.
+# Usage: mirror-create.sh [--out out/mirror/thin] [--sign-key path.pem] [--oci] [--time-anchor path.json]
+
+OUT="out/mirror/thin"
+SIGN_KEY=""
+TIME_ANCHOR=""
+OCI=0
+
+usage() {
+  echo "Usage: $0 [--out <dir>] [--sign-key key.pem] [--oci] [--time-anchor path.json]" >&2
+  exit 2
+}
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --out) OUT=${2:-}; shift ;;
+    --sign-key) SIGN_KEY=${2:-}; shift ;;
+    --time-anchor) TIME_ANCHOR=${2:-}; shift ;;
+    --oci) OCI=1 ;;
+    *) usage ;;
+  esac
+  shift
+done
+
+ROOT=$(cd "$(dirname "$0")/.." && pwd)
+pushd "$ROOT/.." >/dev/null
+
+export SIGN_KEY
+export TIME_ANCHOR_FILE=${TIME_ANCHOR:-}
+export OCI
+export OUT
+
+src/Mirror/StellaOps.Mirror.Creator/make-thin-v1.sh
+
+echo "Bundle built under $OUT"
+python scripts/mirror/verify_thin_bundle.py \
+  "$OUT/mirror-thin-v1.manifest.json" \
+  "$OUT/mirror-thin-v1.tar.gz" \
+  --bundle-meta "$OUT/mirror-thin-v1.bundle.json"
+
+popd >/dev/null
+echo "Create/verify completed"

scripts/mirror/mirror-verify.sh

@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Verify a mirror-thin-v1 bundle and optional DSSE signatures.
+# Usage: mirror-verify.sh manifest.json bundle.tar.gz [--bundle-meta bundle.json] [--pubkey key.pub] [--tenant t] [--environment env]
+
+manifest=${1:-}
+bundle=${2:-}
+shift 2 || true
+
+bundle_meta=""
+pubkey=""
+tenant=""
+environment=""
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --bundle-meta) bundle_meta=${2:-}; shift ;;
+    --pubkey) pubkey=${2:-}; shift ;;
+    --tenant) tenant=${2:-}; shift ;;
+    --environment) environment=${2:-}; shift ;;
+    *) echo "Unknown arg $1" >&2; exit 2 ;;
+  esac
+  shift
+done
+
+[[ -z "$manifest" || -z "$bundle" ]] && { echo "manifest and bundle required" >&2; exit 2; }
+
+args=("$manifest" "$bundle")
+[[ -n "$bundle_meta" ]] && args+=("--bundle-meta" "$bundle_meta")
+[[ -n "$pubkey" ]] && args+=("--pubkey" "$pubkey")
+[[ -n "$tenant" ]] && args+=("--tenant" "$tenant")
+[[ -n "$environment" ]] && args+=("--environment" "$environment")
+
+python scripts/mirror/verify_thin_bundle.py "${args[@]}"
+
+echo "Mirror bundle verification passed."