Add --verify flag to the prove CLI command

[FransDevelopment]

Context

The prove CLI command generates a proof-of-key-ownership file. But there is no way to verify a proof without submitting a PR and waiting for CI. A --verify flag would let contributors check their proof locally before submitting.

What needs to happen

Add a --verify mode to the existing prove command (or a new verify-proof command) that:

1. Takes an issuer JSON file and a proof file as input
2. Parses the proof file (extract canonical message and signature)
3. Extracts the active Ed25519 public key from the issuer JSON
4. Verifies the signature against the public key
5. Reports pass/fail with details

Usage

# Generate a proof (existing)
npx @open-agent-trust/cli prove --issuer-id my-runtime --private-key my-runtime.private.pem

# Verify a proof (new)
npx @open-agent-trust/cli prove --verify --issuer-id my-runtime --issuer-file registry/issuers/my-runtime.json

Getting started

• Read cli/src/commands/prove.ts — the signing logic is already there
• Read spec/11-proof-of-key-ownership.md for the proof format
• The CI workflow (.github/workflows/verify-registration.yml) already has verification logic — the CLI version should match it exactly
• Use @noble/ed25519 verifyAsync() — same as the CI

Acceptance criteria

• --verify flag works on the existing prove command
• Reads proof from registry/proofs/{issuer_id}.proof (or --proof-file override)
• Reads issuer JSON from registry/issuers/{issuer_id}.json (or --issuer-file override)
• Reports: canonical message, signature valid/invalid, which key matched
• Tests cover: valid proof, tampered signature, wrong issuer_id, missing proof file