Build a registry mirror health checker

[FransDevelopment]

Context

The registry supports zero-trust mirrors (spec/06-mirroring.md). Anyone can host a copy of manifest.json — if it's tampered with, the cryptographic signature breaks and the SDK rejects it. But there's no tool to monitor whether mirrors are healthy, up-to-date, and serving valid manifests.

What needs to happen

Build a CLI command or standalone script that:

1. Takes a list of mirror URLs (or discovers them from a config)
2. Fetches manifest.json from each mirror
3. Verifies the Ed25519 signature matches the root public key
4. Compares generated_at timestamps to detect stale mirrors
5. Reports: mirror URL, signature valid/invalid, staleness, latency

Example output

Mirror Health Check — 2026-03-24T12:00:00Z

https://mirror1.example.com/manifest.json
  Signature: ✅ valid
  Generated: 2026-03-24T11:50:00Z (10 min ago)
  Latency:   142ms

https://mirror2.example.com/manifest.json
  Signature: ❌ INVALID — manifest may be tampered
  Latency:   89ms

Getting started

• Read spec/06-mirroring.md for the mirror model
• Read spec/08-security-model.md §1.1 for signature verification
• The SDK's verifyManifestSignature() in sdk/typescript/ already does signature verification — you can reuse the logic

Acceptance criteria

• Works as a CLI command or standalone script (any language)
• Verifies manifest signatures against the root public key
• Reports staleness and latency
• Tests cover: valid mirror, tampered manifest, unreachable mirror