Verify an output certificate

The broker signs every output certificate with Ed25519. The signature covers a canonicalized (sorted-key) JSON of the entire payload except the signature field. The public key is published at /v1/public-key. Any auditor — compliance, regulator, end-user — can verify the certificate offline against the published key.