test(examples): verify signed manifest example

[marmar9615-cloud]

Summary

Adds verifier-backed checks for the signed-manifest example without adding CLI/scanner/MCP enforcement.

• Adds examples/signed-manifest-basic/agentbridge-keys.json with the public Ed25519 JWK matching the example signer.
• Extends npm run validate:examples to validate the key set, verify the generated signed manifest with verifyManifestSignature(), assert tamper failure with signature-invalid, and confirm an unsigned copy still schema-validates.
• Strengthens CLI example regression tests with the same verifier-backed positive/tamper checks.
• Updates example and CLI docs to explain public key set verification and that --require-signature / scanner checks / MCP enforcement are follow-ups.

Context

• v0.4.0 is published/released.
• PR feat(core): add signed manifest schemas and canonicalization #35 added core signed-manifest schemas and canonicalization.
• PR feat(sdk): add signed manifest helpers #36 added SDK signManifest / createSignedManifest helpers.
• PR test(examples): add signed manifest example coverage #38 added the signed-manifest example and schema-only validation coverage.
• PR feat(core): add signed manifest verifier #39 added core verifyManifestSignature() and test vectors.
• Claude may be working on scanner signed-manifest check IDs.

Parallel safety

This PR stays out of scanner implementation, core implementation, core tests, spec files, and MCP runtime files. It only consumes the verifier from examples/CLI tests and docs.

Files added

• examples/signed-manifest-basic/agentbridge-keys.json

Files modified

• CHANGELOG.md
• examples/README.md
• examples/signed-manifest-basic/README.md
• packages/cli/README.md
• packages/cli/src/tests/signed-examples-regression.test.ts
• scripts/validate-examples.mjs

Verifier-backed checks added

• Generated signed manifest validates through agentbridge validate.
• Example public key set validates with validateKeySet().
• Generated signed manifest verifies with verifyManifestSignature() using fixed now and expectedIssuer.
• Tampering a signed manifest field fails verification with signature-invalid.
• Generated signed manifest and public key set are scanned for private key material.
• Unsigned copy still schema-validates.

Validation

• npx vitest run packages/cli/src/tests/signed-examples-regression.test.ts — passed, 1 file / 2 tests
• npx vitest run packages/cli/src/tests — passed, 4 files / 34 tests
• npm run typecheck:clean — passed
• npm test — passed, 24 files / 386 tests
• npm run build — passed
• npm run pack:dry-run — passed, all packages OK
• npm run validate:examples — passed, including verifier-backed signed example path
• npm run validate:mcp-config-examples — passed
• npx tsx examples/signed-manifest-basic/manifest.ts > /tmp/signed-basic.agentbridge.json — passed
• node packages/cli/dist/bin.js validate /tmp/signed-basic.agentbridge.json — passed
• Manual verifier smoke with verifyManifestSignature() — passed; tampered manifest returned signature-invalid

Browser / UI status

No UI, demo-app, or Studio surface changed. CLI/example/core-verifier command-level smoke is the relevant test surface, so browser/computer-use/Playwright was not needed.

Safety confirmations

• No core/scanner/spec implementation files touched.
• No MCP runtime files touched.
• No package versions changed.
• No npm publish, git tag, or GitHub release was created.
• Dependabot PRs were untouched.
• No scanner signature checks, CLI --require-signature, or MCP enforcement implemented.