Module verify 

Supply-chain security: verify MCP server binaries before spawning.

Two independent checks, both optional:

1. SHA-256 hash pin — computed from the binary on disk, compared to config.sha256.
2. Cosign bundle — delegates to the cosign verify-blob CLI (must be on PATH).

Either check failing is fatal: verify_binary returns Err and the gateway refuses to start.

Functions

verify_binary

Resolve cmd to an absolute path, then run all configured checks. Returns Ok(()) if all enabled checks pass, Err otherwise.