Add unit tests and implementations for MongoDB index models and OpenAPI metadata

- Implemented `MongoIndexModelTests` to verify index models for various stores.
- Created `OpenApiMetadataFactory` with methods to generate OpenAPI metadata.
- Added tests for `OpenApiMetadataFactory` to ensure expected defaults and URL overrides.
- Introduced `ObserverSurfaceSecrets` and `WebhookSurfaceSecrets` for managing secrets.
- Developed `RuntimeSurfaceFsClient` and `WebhookSurfaceFsClient` for manifest retrieval.
- Added dependency injection tests for `SurfaceEnvironmentRegistration` in both Observer and Webhook contexts.
- Implemented tests for secret resolution in `ObserverSurfaceSecretsTests` and `WebhookSurfaceSecretsTests`.
- Created `EnsureLinkNotMergeCollectionsMigrationTests` to validate MongoDB migration logic.
- Added project files for MongoDB tests and NuGet package mirroring.

src/Provenance/StellaOps.Provenance.Attestation.Tool/Directory.Build.props

@@ -0,0 +1,5 @@
+<Project>
+  <PropertyGroup>
+    <RestoreSources>;;</RestoreSources>
+  </PropertyGroup>
+</Project>

src/Provenance/StellaOps.Provenance.Attestation.Tool/Program.cs

@@ -0,0 +1,60 @@
+using System.Text;
+using System.Text.Json;
+using StellaOps.Provenance.Attestation;
+
+static int PrintUsage()
+{
+    Console.Error.WriteLine("Usage: stella-forensic-verify --payload <file> --signature-hex <hex> --key-hex <hex> [--key-id <id>] [--content-type <ct>]");
+    return 1;
+}
+
+string? GetArg(string name)
+{
+    for (int i = 0; i < args.Length - 1; i++)
+    {
+        if (args[i].Equals(name, StringComparison.OrdinalIgnoreCase))
+            return args[i + 1];
+    }
+    return null;
+}
+
+string? payloadPath = GetArg("--payload");
+string? signatureHex = GetArg("--signature-hex");
+string? keyHex = GetArg("--key-hex");
+string keyId = GetArg("--key-id") ?? "hmac";
+string contentType = GetArg("--content-type") ?? "application/octet-stream";
+
+if (payloadPath is null || signatureHex is null || keyHex is null)
+{
+    return PrintUsage();
+}
+
+byte[] payload = await System.IO.File.ReadAllBytesAsync(payloadPath);
+byte[] signature;
+byte[] key;
+try
+{
+    signature = Hex.FromHex(signatureHex);
+    key = Hex.FromHex(keyHex);
+}
+catch (Exception ex)
+{
+    Console.Error.WriteLine($"hex parse error: {ex.Message}");
+    return 1;
+}
+
+var request = new SignRequest(payload, contentType);
+var signResult = new SignResult(signature, keyId, DateTimeOffset.MinValue, null);
+
+var verifier = new HmacVerifier(new InMemoryKeyProvider(keyId, key));
+var result = await verifier.VerifyAsync(request, signResult);
+
+var json = JsonSerializer.Serialize(new
+{
+    valid = result.IsValid,
+    reason = result.Reason,
+    verifiedAt = result.VerifiedAt.ToUniversalTime().ToString("O")
+});
+Console.WriteLine(json);
+
+return result.IsValid ? 0 : 2;

src/Provenance/StellaOps.Provenance.Attestation.Tool/StellaOps.Provenance.Attestation.Tool.csproj

@@ -0,0 +1,14 @@
+<Project Sdk="Microsoft.NET.Sdk">
+  <PropertyGroup>
+    <TargetFramework>net10.0</TargetFramework>
+    <LangVersion>preview</LangVersion>
+    <Nullable>enable</Nullable>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <PackAsTool>true</PackAsTool>
+    <ToolCommandName>stella-forensic-verify</ToolCommandName>
+    <PackageOutputPath>../../out/tools</PackageOutputPath>
+  </PropertyGroup>
+  <ItemGroup>
+    <ProjectReference Include="../StellaOps.Provenance.Attestation/StellaOps.Provenance.Attestation.csproj" />
+  </ItemGroup>
+</Project>

src/Provenance/StellaOps.Provenance.Attestation.Tool/tmpfile.txt

@@ -0,0 +1 @@
+test