35c8f9216f
- Introduced `BinaryReachabilityLifterTests` to validate binary lifting functionality. - Created `PackRunWorkerOptions` for configuring worker paths and execution persistence. - Added `TimelineIngestionOptions` for configuring NATS and Redis ingestion transports. - Implemented `NatsTimelineEventSubscriber` for subscribing to NATS events. - Developed `RedisTimelineEventSubscriber` for reading from Redis Streams. - Added `TimelineEnvelopeParser` to normalize incoming event envelopes. - Created unit tests for `TimelineEnvelopeParser` to ensure correct field mapping. - Implemented `TimelineAuthorizationAuditSink` for logging authorization outcomes.
Mirror signing helpers
make-thin-v1.sh: builds thin bundle v1, computes checksums, emits bundle meta (offline/rekor/mirror gaps), optional DSSE+TUF signing whenSIGN_KEYis set, and runs verifier.sign_thin_bundle.py: signs manifest (DSSE), bundle meta (DSSE), and root/targets/snapshot/timestamp JSON using an Ed25519 PEM key.verify_thin_bundle.py: checks SHA256 sidecars, manifest schema, tar determinism, required layers, optional bundle meta and DSSE signatures; accepts--bundle-meta,--pubkey,--tenant,--environment.ci-sign.sh: CI wrapper. SetMIRROR_SIGN_KEY_B64(base64-encoded Ed25519 PEM) and run; it builds, signs, and verifies in one step, emittingmilestone.jsonwith manifest/tar/bundle hashes.verify_oci_layout.py: validates OCI layout/index/manifest and blob digests whenOCI=1is used.mirror-create.sh: convenience wrapper to build + verify thin bundles (optional SIGN_KEY, time anchor, OCI flag).mirror-verify.sh: wrapper aroundverify_thin_bundle.pyfor quick hash/DSSE checks.
Artifacts live under out/mirror/thin/.