Config-driven HMAC signature verification engine.
Covers the GitHub / Stripe / Slack / most-vendors family of webhook schemes through three knobs: the signing template (what bytes go into the MAC), the signature-extraction pattern (how to pull the hex digest out of the header), and an optional timestamp header + pattern for replay protection.
Vendor modules (Verifier.Stripe, Verifier.Github, Verifier.Slack)
are thin wrappers that bake in vendor-specific defaults and delegate
here. Host apps can use this engine directly for custom schemes by
passing a full config map to verify/4.
Secret resolution always goes through the configured
SkillKit.CredentialProvider — the module never holds a plaintext
secret across a tool call boundary.