feat: VerifyNpmPackage API with supplied tuf client

[ramonpetgrave64]

This PR

• allow supplying a SigstoreTufClient
• adds a guide on how to use in ./docs/Api-Library.md
• enables --print-provenance

Offline rekor verification already works so long as the provenance is a valid sigstore bundle, though we could consider adding an explicit option to enforce offline rekor verifification.

• https://github.com/ramonpetgrave64/slsa-verifier/blob/a2edf56f612f6ef4baef66fb07cd62988432d357/verifiers/internal/gha/provenance.go#L217-L229

Fixes #493

Testing

• manual invocation of the tool
• unit added regression tests
• used the library from another demo module, like in ./docs/Api-Library.md

Followups

• support the 1.0 provenance spec
  • https://github.com/slsa-framework/slsa-verifier/issues/614
• use a logger, rather than printing the intermediate messages, https://github.com/slsa-framework/slsa-verifier/pull/772
  • https://github.com/slsa-framework/slsa-verifier/blob/e7a8f74b9ca5838dbb2042308c889db9e73886f7/verifiers/internal/gha/verifier.go#L89

[ramonpetgrave64]

@slugclub

[ramonpetgrave64]

This is looking great, thanks so much for working on this. I have a few minor nits but overall it's looking good.

Thanks for the review! I was also looking into logging in https://github.com/slsa-framework/slsa-verifier/pull/772,

[ramonpetgrave64]

@slugclub thanks again. @ianlewis @laurentsimon , please take a look

[haydentherapper]

cc @loosebazooka

[ramonpetgrave64]

@loosebazooka