Function verify 

pub fn verify(args: &PackVerifyArgs) -> Result<PackVerifyJsonData, PackError>

Verify the bundle at args.bundle:

1. Read the archive (tar.zst) and decode the manifest.
2. Recompute the canonical bundle hash from manifest + contents.
3. If the manifest carries an Ed25519 signature, run the existing verify_workflow_bundle_signature check; refuse unsigned bundles unless --allow-unsigned was passed.
4. Walk each ModuleEntry and verify its source_hash_blake3 / harnbc_hash_blake3 match the in-archive payload.

Any mismatch yields a PackError with a stable structured code suitable for JSON consumers.