feat(sca): runtime SCA reachability with telemetry benchmarks

Implements Runtime SCA Reachability — the tracer reports which vulnerable
symbols have actually been invoked at runtime, reducing false positives
from static SCA analysis.

- DependencyEntry model with reachability metadata tracking
- DependencyTracker for heartbeat-based dependency reporting
- Skip re-report scan when SCA is disabled (idle heartbeat optimization)
- CVE loader, registry, resolver, and instrumenter for SCA hooks
- SCA product integration with telemetry writer
- SLO benchmark suite (benchmarks/telemetry_dependencies/)
- Standalone benchmark scripts (perf_bench_heartbeat_cycles/sca_telemetry)
- Riot env and suitespec entries for SCA tests and benchmarks
- Flask integration test for SCA telemetry via testagent

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: avara1986

.riot/requirements/1428c37.txt .riot/requirements/11335dd.txt.riot/requirements/1428c37.txt renamed to .riot/requirements/11335dd.txt

@@ -2,16 +2,20 @@
 # This file is autogenerated by pip-compile with Python 3.14
 # by the following command:
 #
-#    pip-compile --allow-unsafe --no-annotate .riot/requirements/1428c37.in
+#    pip-compile --allow-unsafe --no-annotate .riot/requirements/11335dd.in
 #
 attrs==26.1.0
 babel==2.18.0
 blinker==1.9.0
-click==8.3.1
+certifi==2026.2.25
+charset-normalizer==3.4.7
+click==8.3.2
 coverage[toml]==7.13.5
 flask==2.3.3
 flask-babel==4.0.0
+greenlet==3.3.2
 hypothesis==6.45.0
+idna==3.11
 iniconfig==2.3.0
 itsdangerous==2.2.0
 jinja2==3.1.6
@@ -21,13 +25,15 @@ opentracing==2.4.0
 packaging==26.0
 pluggy==1.6.0
 psycopg2-binary==2.9.11
-pygments==2.19.2
+pygments==2.20.0
 pytest==9.0.2
 pytest-cov==7.1.0
 pytest-mock==3.15.1
 pytest-randomly==4.0.1
 pytz==2026.1.post1
+requests==2.33.1
 sortedcontainers==2.4.0
-sqlalchemy==2.0.48
+sqlalchemy==2.0.49
 typing-extensions==4.15.0
-werkzeug==3.1.7
+urllib3==2.6.3
+werkzeug==3.1.8

.riot/requirements/1df8e9a.txt .riot/requirements/148c37a.txt.riot/requirements/1df8e9a.txt renamed to .riot/requirements/148c37a.txt

@@ -2,16 +2,20 @@
 # This file is autogenerated by pip-compile with Python 3.12
 # by the following command:
 #
-#    pip-compile --allow-unsafe --no-annotate .riot/requirements/1df8e9a.in
+#    pip-compile --allow-unsafe --no-annotate .riot/requirements/148c37a.in
 #
 attrs==26.1.0
 babel==2.18.0
 blinker==1.9.0
-click==8.3.1
+certifi==2026.2.25
+charset-normalizer==3.4.7
+click==8.3.2
 coverage[toml]==7.13.5
 flask==3.1.3
 flask-babel==4.0.0
+greenlet==3.3.2
 hypothesis==6.45.0
+idna==3.11
 iniconfig==2.3.0
 itsdangerous==2.2.0
 jinja2==3.1.6
@@ -21,13 +25,15 @@ opentracing==2.4.0
 packaging==26.0
 pluggy==1.6.0
 psycopg2-binary==2.9.11
-pygments==2.19.2
+pygments==2.20.0
 pytest==9.0.2
 pytest-cov==7.1.0
 pytest-mock==3.15.1
 pytest-randomly==4.0.1
 pytz==2026.1.post1
+requests==2.33.1
 sortedcontainers==2.4.0
-sqlalchemy==2.0.48
+sqlalchemy==2.0.49
 typing-extensions==4.15.0
-werkzeug==3.1.7
+urllib3==2.6.3
+werkzeug==3.1.8

.riot/requirements/5cef9f9.txt .riot/requirements/176aab2.txt.riot/requirements/5cef9f9.txt renamed to .riot/requirements/176aab2.txt

@@ -2,17 +2,21 @@
 # This file is autogenerated by pip-compile with Python 3.9
 # by the following command:
 #
-#    pip-compile --allow-unsafe --no-annotate .riot/requirements/5cef9f9.in
+#    pip-compile --allow-unsafe --no-annotate .riot/requirements/176aab2.in
 #
 attrs==26.1.0
 babel==2.18.0
 blinker==1.9.0
+certifi==2026.2.25
+charset-normalizer==3.4.7
 click==8.1.8
 coverage[toml]==7.10.7
 exceptiongroup==1.3.1
 flask==2.3.3
 flask-babel==4.0.0
+greenlet==3.2.5
 hypothesis==6.45.0
+idna==3.11
 importlib-metadata==8.7.1
 iniconfig==2.1.0
 itsdangerous==2.2.0
@@ -23,15 +27,17 @@ opentracing==2.4.0
 packaging==26.0
 pluggy==1.6.0
 psycopg2-binary==2.9.11
-pygments==2.19.2
+pygments==2.20.0
 pytest==8.4.2
 pytest-cov==7.1.0
 pytest-mock==3.15.1
 pytest-randomly==4.0.1
 pytz==2026.1.post1
+requests==2.32.5
 sortedcontainers==2.4.0
-sqlalchemy==2.0.48
+sqlalchemy==2.0.49
 tomli==2.4.1
 typing-extensions==4.15.0
-werkzeug==3.1.7
+urllib3==2.6.3
+werkzeug==3.1.8
 zipp==3.23.0

.riot/requirements/6843c56.txt .riot/requirements/18269eb.txt.riot/requirements/6843c56.txt renamed to .riot/requirements/18269eb.txt

@@ -2,16 +2,20 @@
 # This file is autogenerated by pip-compile with Python 3.13
 # by the following command:
 #
-#    pip-compile --allow-unsafe --no-annotate .riot/requirements/6843c56.in
+#    pip-compile --allow-unsafe --no-annotate .riot/requirements/18269eb.in
 #
 attrs==26.1.0
 babel==2.18.0
 blinker==1.9.0
-click==8.3.1
+certifi==2026.2.25
+charset-normalizer==3.4.7
+click==8.3.2
 coverage[toml]==7.13.5
 flask==3.1.3
 flask-babel==4.0.0
+greenlet==3.3.2
 hypothesis==6.45.0
+idna==3.11
 iniconfig==2.3.0
 itsdangerous==2.2.0
 jinja2==3.1.6
@@ -21,13 +25,15 @@ opentracing==2.4.0
 packaging==26.0
 pluggy==1.6.0
 psycopg2-binary==2.9.11
-pygments==2.19.2
+pygments==2.20.0
 pytest==9.0.2
 pytest-cov==7.1.0
 pytest-mock==3.15.1
 pytest-randomly==4.0.1
 pytz==2026.1.post1
+requests==2.33.1
 sortedcontainers==2.4.0
-sqlalchemy==2.0.48
+sqlalchemy==2.0.49
 typing-extensions==4.15.0
-werkzeug==3.1.7
+urllib3==2.6.3
+werkzeug==3.1.8

.riot/requirements/1335c92.txt .riot/requirements/190e5df.txt.riot/requirements/1335c92.txt renamed to .riot/requirements/190e5df.txt

@@ -2,17 +2,21 @@
 # This file is autogenerated by pip-compile with Python 3.10
 # by the following command:
 #
-#    pip-compile --allow-unsafe --no-annotate .riot/requirements/1335c92.in
+#    pip-compile --allow-unsafe --no-annotate .riot/requirements/190e5df.in
 #
 attrs==26.1.0
 babel==2.18.0
 blinker==1.9.0
-click==8.3.1
+certifi==2026.2.25
+charset-normalizer==3.4.7
+click==8.3.2
 coverage[toml]==7.13.5
 exceptiongroup==1.3.1
 flask==2.3.3
 flask-babel==4.0.0
+greenlet==3.3.2
 hypothesis==6.45.0
+idna==3.11
 iniconfig==2.3.0
 itsdangerous==2.2.0
 jinja2==3.1.6
@@ -22,14 +26,16 @@ opentracing==2.4.0
 packaging==26.0
 pluggy==1.6.0
 psycopg2-binary==2.9.11
-pygments==2.19.2
+pygments==2.20.0
 pytest==9.0.2
 pytest-cov==7.1.0
 pytest-mock==3.15.1
 pytest-randomly==4.0.1
 pytz==2026.1.post1
+requests==2.33.1
 sortedcontainers==2.4.0
-sqlalchemy==2.0.48
+sqlalchemy==2.0.49
 tomli==2.4.1
 typing-extensions==4.15.0
-werkzeug==3.1.7
+urllib3==2.6.3
+werkzeug==3.1.8

.riot/requirements/1ab3731.txt

@@ -0,0 +1,19 @@
+#
+# This file is autogenerated by pip-compile with Python 3.12
+# by the following command:
+#
+#    pip-compile --allow-unsafe --no-annotate .riot/requirements/1ab3731.in
+#
+attrs==26.1.0
+coverage[toml]==7.13.5
+hypothesis==6.45.0
+iniconfig==2.3.0
+mock==5.2.0
+opentracing==2.4.0
+packaging==26.0
+pluggy==1.6.0
+pygments==2.20.0
+pytest==9.0.3
+pytest-cov==7.1.0
+pytest-mock==3.15.1
+sortedcontainers==2.4.0

.riot/requirements/1d488a9.txt

@@ -0,0 +1,19 @@
+#
+# This file is autogenerated by pip-compile with Python 3.13
+# by the following command:
+#
+#    pip-compile --allow-unsafe --no-annotate .riot/requirements/1d488a9.in
+#
+attrs==26.1.0
+coverage[toml]==7.13.5
+hypothesis==6.45.0
+iniconfig==2.3.0
+mock==5.2.0
+opentracing==2.4.0
+packaging==26.0
+pluggy==1.6.0
+pygments==2.20.0
+pytest==9.0.3
+pytest-cov==7.1.0
+pytest-mock==3.15.1
+sortedcontainers==2.4.0

.riot/requirements/1f1aeb9.txt .riot/requirements/1dbdbea.txt.riot/requirements/1f1aeb9.txt renamed to .riot/requirements/1dbdbea.txt

@@ -2,16 +2,20 @@
 # This file is autogenerated by pip-compile with Python 3.12
 # by the following command:
 #
-#    pip-compile --allow-unsafe --no-annotate .riot/requirements/1f1aeb9.in
+#    pip-compile --allow-unsafe --no-annotate .riot/requirements/1dbdbea.in
 #
 attrs==26.1.0
 babel==2.18.0
 blinker==1.9.0
-click==8.3.1
+certifi==2026.2.25
+charset-normalizer==3.4.7
+click==8.3.2
 coverage[toml]==7.13.5
 flask==2.3.3
 flask-babel==4.0.0
+greenlet==3.3.2
 hypothesis==6.45.0
+idna==3.11
 iniconfig==2.3.0
 itsdangerous==2.2.0
 jinja2==3.1.6
@@ -21,13 +25,15 @@ opentracing==2.4.0
 packaging==26.0
 pluggy==1.6.0
 psycopg2-binary==2.9.11
-pygments==2.19.2
+pygments==2.20.0
 pytest==9.0.2
 pytest-cov==7.1.0
 pytest-mock==3.15.1
 pytest-randomly==4.0.1
 pytz==2026.1.post1
+requests==2.33.1
 sortedcontainers==2.4.0
-sqlalchemy==2.0.48
+sqlalchemy==2.0.49
 typing-extensions==4.15.0
-werkzeug==3.1.7
+urllib3==2.6.3
+werkzeug==3.1.8

.riot/requirements/1e5dd1a.txt

@@ -0,0 +1,22 @@
+#
+# This file is autogenerated by pip-compile with Python 3.10
+# by the following command:
+#
+#    pip-compile --allow-unsafe --no-annotate .riot/requirements/1e5dd1a.in
+#
+attrs==26.1.0
+coverage[toml]==7.13.5
+exceptiongroup==1.3.1
+hypothesis==6.45.0
+iniconfig==2.3.0
+mock==5.2.0
+opentracing==2.4.0
+packaging==26.0
+pluggy==1.6.0
+pygments==2.20.0
+pytest==9.0.3
+pytest-cov==7.1.0
+pytest-mock==3.15.1
+sortedcontainers==2.4.0
+tomli==2.4.1
+typing-extensions==4.15.0

.riot/requirements/f40feb8.txt .riot/requirements/42964a4.txt.riot/requirements/f40feb8.txt renamed to .riot/requirements/42964a4.txt

@@ -2,14 +2,14 @@
 # This file is autogenerated by pip-compile with Python 3.13
 # by the following command:
 #
-#    pip-compile --allow-unsafe --no-annotate .riot/requirements/f40feb8.in
+#    pip-compile --allow-unsafe --no-annotate .riot/requirements/42964a4.in
 #
 attrs==26.1.0
 babel==2.18.0
 blinker==1.9.0
 certifi==2026.2.25
-charset-normalizer==3.4.6
-click==8.3.1
+charset-normalizer==3.4.7
+click==8.3.2
 coverage[toml]==7.13.5
 flask==3.1.3
 flask-babel==4.0.0
@@ -27,17 +27,17 @@ opentracing==2.4.0
 packaging==26.0
 pluggy==1.6.0
 psycopg2-binary==2.9.11
-pygments==2.19.2
+pygments==2.20.0
 pytest==9.0.2
 pytest-cov==7.1.0
 pytest-mock==3.15.1
 pytest-randomly==4.0.1
 pytz==2026.1.post1
-requests==2.33.0
+requests==2.31.0
 sortedcontainers==2.4.0
-sqlalchemy==2.0.48
+sqlalchemy==2.0.49
 typing-extensions==4.15.0
 urllib3==2.6.3
-werkzeug==3.1.7
+werkzeug==3.1.8
 zope-event==6.1
 zope-interface==8.2